New DMSA Service Account Created in Specific OUs

calendar Mar 30, 2026 · attack.privilege-escalation attack.initial-access attack.defense-evasion attack.persistence attack.t1078.002 attack.t1098  ·
Share on: linkedin copy

Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.

Sigma rule (View on GitHub)

 1title: New DMSA Service Account Created in Specific OUs
 2id: 0ea8db81-2ff6-4525-9448-33bbe7effc13
 3related:
 4    - id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object
 5      type: similar
 6    - id: 02122374-b74e-495c-b285-9e4da973f3d6 # ScriptBlockText Detection
 7      type: similar
 8status: experimental
 9description: |
10    Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs.
11    The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
12    It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
13    On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
14    it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.    
15references:
16    - https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
17author: Swachchhanda Shrawan Poudel (Nextron Systems)
18date: 2025-05-24
19tags:
20    - attack.privilege-escalation
21    - attack.initial-access
22    - attack.defense-evasion
23    - attack.persistence
24    - attack.t1078.002
25    - attack.t1098
26logsource:
27    category: process_creation
28    product: windows
29detection:
30    selection_img:
31        - Image|endswith:
32              - '\powershell.exe'
33              - '\pwsh.exe'
34              - '\powershell_ise.exe'
35        - OriginalFileName:
36              - 'powershell.exe'
37              - 'pwsh.dll'
38              - 'powershell_ise.exe'
39    selection_cli:
40        CommandLine|contains|all:
41            - 'New-ADServiceAccount'
42            - '-CreateDelegatedServiceAccount'
43            - '-path'
44    condition: all of selection_*
45falsepositives:
46    - Unknown
47level: medium

References

Related rules

to-top