Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

101 rules found for "attack.T1078"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumexperimental

DMSA Service Account Created in Specific OUs - PowerShell

Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.

WindowsPowerShell Script
TA0004 · Privilege EscalationTA0001 · Initial AccessTA0005 · Defense EvasionTA0003 · Persistence+2
Swachchhanda Shrawan Poudel (Nextron Systems)Sat May 24windows
Detectionlowexperimental

DMSA Link Attributes Modified

Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts. This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.

WindowsPowerShell Script
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0003 · PersistenceTA0001 · Initial Access+2
Swachchhanda Shrawan Poudel (Nextron Systems)Sat May 24windows
Detectionmediumexperimental

New DMSA Service Account Created in Specific OUs

Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.

WindowsProcess Creation
TA0004 · Privilege EscalationTA0001 · Initial AccessTA0005 · Defense EvasionTA0003 · Persistence+2
Swachchhanda Shrawan Poudel (Nextron Systems)Sat May 24windows
Detectionmediumtest

Password Provided In Command Line Of Net.EXE

Detects a when net.exe is called with a password in the command line

WindowsProcess Creation
TA0005 · Defense EvasionTA0001 · Initial AccessTA0003 · PersistenceTA0004 · Privilege Escalation+3
Tim Shelton (HAWK.IO)Thu Dec 09windows
Emerging Threatmediumexperimental

Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)

Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password. This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.

WindowsProcess Creation
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0001 · Initial Access+3
Swachchhanda Shrawan Poudel (Nextron Systems)Mon Oct 202025
123