Detection rules › Sigma
New DMSA Service Account Created in Specific OUs
Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078.002 Valid Accounts: Domain Accounts |
| Persistence | T1078.002 Valid Accounts: Domain Accounts, T1098 Account Manipulation |
| Privilege Escalation | T1078.002 Valid Accounts: Domain Accounts, T1098 Account Manipulation |
| Stealth | T1078.002 Valid Accounts: Domain Accounts |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
title: New DMSA Service Account Created in Specific OUs
id: 0ea8db81-2ff6-4525-9448-33bbe7effc13
related:
- id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object
type: similar
- id: 02122374-b74e-495c-b285-9e4da973f3d6 # ScriptBlockText Detection
type: similar
status: experimental
description: |
Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs.
The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
references:
- https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078.002
- attack.t1098
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
- OriginalFileName:
- 'powershell.exe'
- 'pwsh.dll'
- 'powershell_ise.exe'
selection_cli:
CommandLine|contains|all:
- 'New-ADServiceAccount'
- '-CreateDelegatedServiceAccount'
- '-path'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Stages and Predicates
Stage 0: condition
all of selection_*Stage 1: selection_img
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
- OriginalFileName:
- 'powershell.exe'
- 'pwsh.dll'
- 'powershell_ise.exe'
Stage 2: selection_cli
selection_cli:
CommandLine|contains|all:
- 'New-ADServiceAccount'
- '-CreateDelegatedServiceAccount'
- '-path'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|