Detectionmediumexperimental

DMSA Service Account Created in Specific OUs - PowerShell

Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Swachchhanda Shrawan Poudel (Nextron Systems)Created Sat May 2402122374-b74e-495c-b285-9e4da973f3d6windows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Detection Logic

detection:
    selection:
        ScriptBlockText|contains|all:
            - 'New-ADServiceAccount'
            - '-CreateDelegatedServiceAccount'
            - '-path'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

akamai.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0001 · Initial Access TA0005 · Defense Evasion TA0003 · Persistence

Techniques

T1098 · Account Manipulation

Sub-techniques

T1078.002 · Domain Accounts

Related Rules

Similar

e15bc294-ae2a-45ad-b7d6-637b33868bde

Rule not found

SimilarDetectionmedium

New DMSA Service Account Created in Specific OUs

Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

02122374-b74e-495c-b285-9e4da973f3d6

Status

experimental

Level

medium

Type

Detection

Created

Sat May 24

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/powershell/powershell_script/posh_ps_create_new_dmsasvc_account.yml

Raw Tags

attack.privilege-escalationattack.initial-accessattack.defense-evasionattack.persistenceattack.t1078.002attack.t1098

View on GitHub