Merge PR #5433 from @swachchhanda000 - Add BadSuccessor dMSA Abuse Related Rules

new: msDS-ManagedAccountPrecededByLink Attribute Modified
new: New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created
new: DMSA Service Account Created in Specific OUs - PowerShell
new: DMSA Link Attributes Modified
new: New DMSA Service Account Created in Specific OUs

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>

rules/windows/powershell/powershell_script/posh_ps_create_new_dmsasvc_account.yml

@@ -0,0 +1,38 @@
+title: DMSA Service Account Created in Specific OUs - PowerShell
+id: 02122374-b74e-495c-b285-9e4da973f3d6
+related:
+    - id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object
+      type: similar
+    - id: 0ea8db81-2ff6-4525-9448-33bbe7effc13 # Process Creation Detection
+      type: similar
+status: experimental
+description: |
+    Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs.
+    The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
+    It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
+    On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
+    it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
+references:
+    - https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-05-24
+tags:
+    - attack.privilege-escalation
+    - attack.initial-access
+    - attack.defense-evasion
+    - attack.persistence
+    - attack.t1078.002
+    - attack.t1098
+logsource:
+    category: ps_script
+    product: windows
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'New-ADServiceAccount'
+            - '-CreateDelegatedServiceAccount'
+            - '-path'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium

rules/windows/powershell/powershell_script/posh_ps_modification_of_dmsa_link_attribute.yml

@@ -0,0 +1,32 @@
+title: DMSA Link Attributes Modified
+id: 9b111d8e-92e0-4153-88bc-daefc1333aba
+related:
+    - id: 6c9eb492-e477-4df9-b0f4-571fc9db29cd # Windows Security Modification of msDS-ManagedAccountPrecededByLink Attribute
+      type: similar
+status: experimental
+description: |
+    Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts.
+    This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
+references:
+    - https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-05-24
+tags:
+    - attack.privilege-escalation
+    - attack.defense-evasion
+    - attack.persistence
+    - attack.initial-access
+    - attack.t1078.002
+    - attack.t1098
+logsource:
+    category: ps_script
+    product: windows
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - '.Put("msDS-ManagedAccountPrecededByLink'
+            - 'CN='
+    condition: selection
+falsepositives:
+    - Legitimate administrative tasks modifying these attributes.
+level: low