DMSA Link Attributes Modified

 1title: DMSA Link Attributes Modified
 2id: 9b111d8e-92e0-4153-88bc-daefc1333aba
 3related:
 4    - id: 6c9eb492-e477-4df9-b0f4-571fc9db29cd # Windows Security Modification of msDS-ManagedAccountPrecededByLink Attribute
 5      type: similar
 6status: experimental
 7description: |
 8    Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts.
 9    This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.    
10references:
11    - https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
12author: Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2025-05-24
14tags:
15    - attack.privilege-escalation
16    - attack.defense-evasion
17    - attack.persistence
18    - attack.initial-access
19    - attack.t1078.002
20    - attack.t1098
21logsource:
22    category: ps_script
23    product: windows
24detection:
25    selection:
26        ScriptBlockText|contains|all:
27            - '.Put("msDS-ManagedAccountPrecededByLink'
28            - 'CN='
29    condition: selection
30falsepositives:
31    - Legitimate administrative tasks modifying these attributes.
32level: low