DMSA Service Account Created in Specific OUs - PowerShell

 1title: DMSA Service Account Created in Specific OUs - PowerShell
 2id: 02122374-b74e-495c-b285-9e4da973f3d6
 3related:
 4    - id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object
 5      type: similar
 6    - id: 0ea8db81-2ff6-4525-9448-33bbe7effc13 # Process Creation Detection
 7      type: similar
 8status: experimental
 9description: |
10    Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs.
11    The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
12    It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
13    On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
14    it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.    
15references:
16    - https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
17author: Swachchhanda Shrawan Poudel (Nextron Systems)
18date: 2025-05-24
19tags:
20    - attack.privilege-escalation
21    - attack.initial-access
22    - attack.defense-evasion
23    - attack.persistence
24    - attack.t1078.002
25    - attack.t1098
26logsource:
27    category: ps_script
28    product: windows
29detection:
30    selection:
31        ScriptBlockText|contains|all:
32            - 'New-ADServiceAccount'
33            - '-CreateDelegatedServiceAccount'
34            - '-path'
35    condition: selection
36falsepositives:
37    - Unknown
38level: medium