From 2f84ca2f1652977cd59f48b6556dfc3f6f14fb5a Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Mon, 30 Mar 2026 16:12:13 +0545 Subject: [PATCH] Merge PR #5433 from @swachchhanda000 - Add BadSuccessor dMSA Abuse Related Rules new: msDS-ManagedAccountPrecededByLink Attribute Modified new: New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created new: DMSA Service Account Created in Specific OUs - PowerShell new: DMSA Link Attributes Modified new: New DMSA Service Account Created in Specific OUs --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...dification_of_msds_dmsa_link_attribute.yml | 40 ++++++++++++++++ ...win_security_msds_dmsa_object_creation.yml | 42 +++++++++++++++++ .../posh_ps_create_new_dmsasvc_account.yml | 38 +++++++++++++++ ...ps_modification_of_dmsa_link_attribute.yml | 32 +++++++++++++ ...reation_win_create_new_dmsasvc_account.yml | 47 +++++++++++++++++++ 5 files changed, 199 insertions(+) create mode 100644 rules-placeholder/windows/builtin/security/win_security_modification_of_msds_dmsa_link_attribute.yml create mode 100644 rules-placeholder/windows/builtin/security/win_security_msds_dmsa_object_creation.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_create_new_dmsasvc_account.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_modification_of_dmsa_link_attribute.yml create mode 100644 rules/windows/process_creation/proc_creation_win_create_new_dmsasvc_account.yml diff --git a/rules-placeholder/windows/builtin/security/win_security_modification_of_msds_dmsa_link_attribute.yml b/rules-placeholder/windows/builtin/security/win_security_modification_of_msds_dmsa_link_attribute.yml new file mode 100644 index 000000000..4afb6e1bf --- /dev/null +++ b/rules-placeholder/windows/builtin/security/win_security_modification_of_msds_dmsa_link_attribute.yml @@ -0,0 +1,40 @@ +title: msDS-ManagedAccountPrecededByLink Attribute Modified +id: 6c9eb492-e477-4df9-b0f4-571fc9db29cd +related: + - id: 9b111d8e-92e0-4153-88bc-daefc1333aba + type: similar +status: experimental +description: | + Detects modifications to the msDS-ManagedAccountPrecededByLink attribute, which may indicate an attempted or successful abuse of the BaD-Successor msDS-DelegatedManagedServiceAccount (DMSA) vulnerability. + The DMSA is a new object class introduced in Windows Server 2025 that allows administrators to delegate the management of service accounts to other users or groups. + Changes to this attribute by suspicious accounts or outside of normal administrative workflows are a strong signal of an attempted or successful abuse. + If it is indeed modified by an account that is not typically responsible for such changes, it could indicate an attempt to exploit the BaD-Successor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment. +references: + - https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-05-24 +tags: + - attack.privilege-escalation + - attack.initial-access + - attack.defense-evasion + - attack.persistence + - attack.t1078.002 + - attack.t1098 +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management, DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes' +detection: + selection: + EventID: 5136 + ObjectClass: 'msDS-DelegatedManagedServiceAccount' + AttributeLDAPDisplayName: 'msDS-ManagedAccountPrecededByLink' + filter_main_legitimate_accounts: + # Exclude modifications made by the system or legitimate administrative accounts + - SubjectAccountName: 'SYSTEM' + - SubjectAccountName|expand: '%Administrators%' # Add all members of the Administrators group to this placeholder + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +# The level is set to medium because while this is a significant event, it may not always indicate malicious activity. It requires further investigation to determine the context and intent behind the modification. +level: medium diff --git a/rules-placeholder/windows/builtin/security/win_security_msds_dmsa_object_creation.yml b/rules-placeholder/windows/builtin/security/win_security_msds_dmsa_object_creation.yml new file mode 100644 index 000000000..dd580cb96 --- /dev/null +++ b/rules-placeholder/windows/builtin/security/win_security_msds_dmsa_object_creation.yml @@ -0,0 +1,42 @@ +title: New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created +id: e15bc294-ae2a-45ad-b7d6-637b33868bde +related: + - id: 02122374-b74e-495c-b285-9e4da973f3d6 + type: similar + - id: 0ea8db81-2ff6-4525-9448-33bbe7effc13 + type: similar +status: experimental +description: | + Detects the creation of new msDS-DelegatedManagedServiceAccount objects, which could indicate potential abuse of privilege escalation vulnerabilities in Windows Server 2025. + The msDS-DelegatedManagedServiceAccount (DMSA) is a new object class introduced in Windows Server 2025 that allows administrators to delegate the management of service accounts to other users or groups. + Attackers may exploit this feature to create unauthorized service accounts with elevated privileges, leading to privilege escalation within the Active Directory environment. + It is highly suspicious if an msDS-DelegatedManagedServiceAccount object is created without proper authorization or in an unexpected context, such as by a non-administrative user or outside of normal administrative workflows. + So, it's a good idea to look out for accounts that are not typically responsible for service account creation to detect potential abuse of this feature. +references: + - https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-05-24 +tags: + - attack.privilege-escalation + - attack.initial-access + - attack.defense-evasion + - attack.persistence + - attack.t1078.002 + - attack.t1098 +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management, DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes' +detection: + selection: + EventID: 5137 + ObjectClass: 'msDS-DelegatedManagedServiceAccount' + filter_main_legitimate_accounts: + # Exclude modifications made by the system or legitimate administrative accounts + - SubjectAccountName: 'SYSTEM' + - SubjectAccountName|expand: '%Administrators%' # Add all members of the Administrators group to this placeholder + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +# The level is set to medium because while this is a significant event, it may not always indicate malicious activity. It requires further investigation to determine the context and intent behind the modification. +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_new_dmsasvc_account.yml b/rules/windows/powershell/powershell_script/posh_ps_create_new_dmsasvc_account.yml new file mode 100644 index 000000000..d8f4d1654 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_create_new_dmsasvc_account.yml @@ -0,0 +1,38 @@ +title: DMSA Service Account Created in Specific OUs - PowerShell +id: 02122374-b74e-495c-b285-9e4da973f3d6 +related: + - id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object + type: similar + - id: 0ea8db81-2ff6-4525-9448-33bbe7effc13 # Process Creation Detection + type: similar +status: experimental +description: | + Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs. + The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. + It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. + On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, + it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment. +references: + - https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-05-24 +tags: + - attack.privilege-escalation + - attack.initial-access + - attack.defense-evasion + - attack.persistence + - attack.t1078.002 + - attack.t1098 +logsource: + category: ps_script + product: windows +detection: + selection: + ScriptBlockText|contains|all: + - 'New-ADServiceAccount' + - '-CreateDelegatedServiceAccount' + - '-path' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_modification_of_dmsa_link_attribute.yml b/rules/windows/powershell/powershell_script/posh_ps_modification_of_dmsa_link_attribute.yml new file mode 100644 index 000000000..9834ca5ca --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_modification_of_dmsa_link_attribute.yml @@ -0,0 +1,32 @@ +title: DMSA Link Attributes Modified +id: 9b111d8e-92e0-4153-88bc-daefc1333aba +related: + - id: 6c9eb492-e477-4df9-b0f4-571fc9db29cd # Windows Security Modification of msDS-ManagedAccountPrecededByLink Attribute + type: similar +status: experimental +description: | + Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts. + This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. +references: + - https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-05-24 +tags: + - attack.privilege-escalation + - attack.defense-evasion + - attack.persistence + - attack.initial-access + - attack.t1078.002 + - attack.t1098 +logsource: + category: ps_script + product: windows +detection: + selection: + ScriptBlockText|contains|all: + - '.Put("msDS-ManagedAccountPrecededByLink' + - 'CN=' + condition: selection +falsepositives: + - Legitimate administrative tasks modifying these attributes. +level: low diff --git a/rules/windows/process_creation/proc_creation_win_create_new_dmsasvc_account.yml b/rules/windows/process_creation/proc_creation_win_create_new_dmsasvc_account.yml new file mode 100644 index 000000000..189c4948b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_create_new_dmsasvc_account.yml @@ -0,0 +1,47 @@ +title: New DMSA Service Account Created in Specific OUs +id: 0ea8db81-2ff6-4525-9448-33bbe7effc13 +related: + - id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object + type: similar + - id: 02122374-b74e-495c-b285-9e4da973f3d6 # ScriptBlockText Detection + type: similar +status: experimental +description: | + Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs. + The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. + It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. + On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, + it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment. +references: + - https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-05-24 +tags: + - attack.privilege-escalation + - attack.initial-access + - attack.defense-evasion + - attack.persistence + - attack.t1078.002 + - attack.t1098 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - '\powershell_ise.exe' + - OriginalFileName: + - 'powershell.exe' + - 'pwsh.dll' + - 'powershell_ise.exe' + selection_cli: + CommandLine|contains|all: + - 'New-ADServiceAccount' + - '-CreateDelegatedServiceAccount' + - '-path' + condition: all of selection_* +falsepositives: + - Unknown +level: medium