Detection rules › Sigma
New DMSA Service Account Created in Specific OUs
Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078.002 Valid Accounts: Domain Accounts |
| Persistence | T1078.002 Valid Accounts: Domain Accounts, T1098 Account Manipulation |
| Privilege Escalation | T1078.002 Valid Accounts: Domain Accounts, T1098 Account Manipulation |
| Defense Evasion | T1078.002 Valid Accounts: Domain Accounts |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_img
or:
Image|endswith: '\powershell.exe'
Image|endswith: '\powershell_ise.exe'
Image|endswith: '\pwsh.exe'
OriginalFileName: powershell.exe
OriginalFileName: powershell_ise.exe
OriginalFileName: pwsh.dll
Stage 2: all of selection_cli
CommandLine|contains: -CreateDelegatedServiceAccount
CommandLine|contains: -path
CommandLine|contains: New-ADServiceAccount
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|