Merge PR #5433 from @swachchhanda000 - Add BadSuccessor dMSA Abuse Related Rules
new: msDS-ManagedAccountPrecededByLink Attribute Modified new: New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created new: DMSA Service Account Created in Specific OUs - PowerShell new: DMSA Link Attributes Modified new: New DMSA Service Account Created in Specific OUs --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
This commit is contained in:
Swachchhanda Shrawan Poudel
committed by
GitHub
GitHub
parent
56a58e1ee6
commit
2f84ca2f16
+40
@@ -0,0 +1,40 @@
|
||||
title: msDS-ManagedAccountPrecededByLink Attribute Modified
|
||||
id: 6c9eb492-e477-4df9-b0f4-571fc9db29cd
|
||||
related:
|
||||
- id: 9b111d8e-92e0-4153-88bc-daefc1333aba
|
||||
type: similar
|
||||
status: experimental
|
||||
description: |
|
||||
Detects modifications to the msDS-ManagedAccountPrecededByLink attribute, which may indicate an attempted or successful abuse of the BaD-Successor msDS-DelegatedManagedServiceAccount (DMSA) vulnerability.
|
||||
The DMSA is a new object class introduced in Windows Server 2025 that allows administrators to delegate the management of service accounts to other users or groups.
|
||||
Changes to this attribute by suspicious accounts or outside of normal administrative workflows are a strong signal of an attempted or successful abuse.
|
||||
If it is indeed modified by an account that is not typically responsible for such changes, it could indicate an attempt to exploit the BaD-Successor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
|
||||
references:
|
||||
- https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
|
||||
author: Swachchhanda Shrawan Poudel (Nextron Systems)
|
||||
date: 2025-05-24
|
||||
tags:
|
||||
- attack.privilege-escalation
|
||||
- attack.initial-access
|
||||
- attack.defense-evasion
|
||||
- attack.persistence
|
||||
- attack.t1078.002
|
||||
- attack.t1098
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management, DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
|
||||
detection:
|
||||
selection:
|
||||
EventID: 5136
|
||||
ObjectClass: 'msDS-DelegatedManagedServiceAccount'
|
||||
AttributeLDAPDisplayName: 'msDS-ManagedAccountPrecededByLink'
|
||||
filter_main_legitimate_accounts:
|
||||
# Exclude modifications made by the system or legitimate administrative accounts
|
||||
- SubjectAccountName: 'SYSTEM'
|
||||
- SubjectAccountName|expand: '%Administrators%' # Add all members of the Administrators group to this placeholder
|
||||
condition: selection and not 1 of filter_main_*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
# The level is set to medium because while this is a significant event, it may not always indicate malicious activity. It requires further investigation to determine the context and intent behind the modification.
|
||||
level: medium
|
||||
@@ -0,0 +1,42 @@
|
||||
title: New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created
|
||||
id: e15bc294-ae2a-45ad-b7d6-637b33868bde
|
||||
related:
|
||||
- id: 02122374-b74e-495c-b285-9e4da973f3d6
|
||||
type: similar
|
||||
- id: 0ea8db81-2ff6-4525-9448-33bbe7effc13
|
||||
type: similar
|
||||
status: experimental
|
||||
description: |
|
||||
Detects the creation of new msDS-DelegatedManagedServiceAccount objects, which could indicate potential abuse of privilege escalation vulnerabilities in Windows Server 2025.
|
||||
The msDS-DelegatedManagedServiceAccount (DMSA) is a new object class introduced in Windows Server 2025 that allows administrators to delegate the management of service accounts to other users or groups.
|
||||
Attackers may exploit this feature to create unauthorized service accounts with elevated privileges, leading to privilege escalation within the Active Directory environment.
|
||||
It is highly suspicious if an msDS-DelegatedManagedServiceAccount object is created without proper authorization or in an unexpected context, such as by a non-administrative user or outside of normal administrative workflows.
|
||||
So, it's a good idea to look out for accounts that are not typically responsible for service account creation to detect potential abuse of this feature.
|
||||
references:
|
||||
- https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
|
||||
author: Swachchhanda Shrawan Poudel (Nextron Systems)
|
||||
date: 2025-05-24
|
||||
tags:
|
||||
- attack.privilege-escalation
|
||||
- attack.initial-access
|
||||
- attack.defense-evasion
|
||||
- attack.persistence
|
||||
- attack.t1078.002
|
||||
- attack.t1098
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management, DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
|
||||
detection:
|
||||
selection:
|
||||
EventID: 5137
|
||||
ObjectClass: 'msDS-DelegatedManagedServiceAccount'
|
||||
filter_main_legitimate_accounts:
|
||||
# Exclude modifications made by the system or legitimate administrative accounts
|
||||
- SubjectAccountName: 'SYSTEM'
|
||||
- SubjectAccountName|expand: '%Administrators%' # Add all members of the Administrators group to this placeholder
|
||||
condition: selection and not 1 of filter_main_*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
# The level is set to medium because while this is a significant event, it may not always indicate malicious activity. It requires further investigation to determine the context and intent behind the modification.
|
||||
level: medium
|
||||
@@ -0,0 +1,38 @@
|
||||
title: DMSA Service Account Created in Specific OUs - PowerShell
|
||||
id: 02122374-b74e-495c-b285-9e4da973f3d6
|
||||
related:
|
||||
- id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object
|
||||
type: similar
|
||||
- id: 0ea8db81-2ff6-4525-9448-33bbe7effc13 # Process Creation Detection
|
||||
type: similar
|
||||
status: experimental
|
||||
description: |
|
||||
Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs.
|
||||
The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
|
||||
It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
|
||||
On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
|
||||
it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
|
||||
references:
|
||||
- https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
|
||||
author: Swachchhanda Shrawan Poudel (Nextron Systems)
|
||||
date: 2025-05-24
|
||||
tags:
|
||||
- attack.privilege-escalation
|
||||
- attack.initial-access
|
||||
- attack.defense-evasion
|
||||
- attack.persistence
|
||||
- attack.t1078.002
|
||||
- attack.t1098
|
||||
logsource:
|
||||
category: ps_script
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
ScriptBlockText|contains|all:
|
||||
- 'New-ADServiceAccount'
|
||||
- '-CreateDelegatedServiceAccount'
|
||||
- '-path'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: medium
|
||||
+32
@@ -0,0 +1,32 @@
|
||||
title: DMSA Link Attributes Modified
|
||||
id: 9b111d8e-92e0-4153-88bc-daefc1333aba
|
||||
related:
|
||||
- id: 6c9eb492-e477-4df9-b0f4-571fc9db29cd # Windows Security Modification of msDS-ManagedAccountPrecededByLink Attribute
|
||||
type: similar
|
||||
status: experimental
|
||||
description: |
|
||||
Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts.
|
||||
This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
|
||||
references:
|
||||
- https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
|
||||
author: Swachchhanda Shrawan Poudel (Nextron Systems)
|
||||
date: 2025-05-24
|
||||
tags:
|
||||
- attack.privilege-escalation
|
||||
- attack.defense-evasion
|
||||
- attack.persistence
|
||||
- attack.initial-access
|
||||
- attack.t1078.002
|
||||
- attack.t1098
|
||||
logsource:
|
||||
category: ps_script
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
ScriptBlockText|contains|all:
|
||||
- '.Put("msDS-ManagedAccountPrecededByLink'
|
||||
- 'CN='
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate administrative tasks modifying these attributes.
|
||||
level: low
|
||||
@@ -0,0 +1,47 @@
|
||||
title: New DMSA Service Account Created in Specific OUs
|
||||
id: 0ea8db81-2ff6-4525-9448-33bbe7effc13
|
||||
related:
|
||||
- id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object
|
||||
type: similar
|
||||
- id: 02122374-b74e-495c-b285-9e4da973f3d6 # ScriptBlockText Detection
|
||||
type: similar
|
||||
status: experimental
|
||||
description: |
|
||||
Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs.
|
||||
The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
|
||||
It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
|
||||
On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
|
||||
it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
|
||||
references:
|
||||
- https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
|
||||
author: Swachchhanda Shrawan Poudel (Nextron Systems)
|
||||
date: 2025-05-24
|
||||
tags:
|
||||
- attack.privilege-escalation
|
||||
- attack.initial-access
|
||||
- attack.defense-evasion
|
||||
- attack.persistence
|
||||
- attack.t1078.002
|
||||
- attack.t1098
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_img:
|
||||
- Image|endswith:
|
||||
- '\powershell.exe'
|
||||
- '\pwsh.exe'
|
||||
- '\powershell_ise.exe'
|
||||
- OriginalFileName:
|
||||
- 'powershell.exe'
|
||||
- 'pwsh.dll'
|
||||
- 'powershell_ise.exe'
|
||||
selection_cli:
|
||||
CommandLine|contains|all:
|
||||
- 'New-ADServiceAccount'
|
||||
- '-CreateDelegatedServiceAccount'
|
||||
- '-path'
|
||||
condition: all of selection_*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: medium
|
||||
Reference in New Issue
Block a user