Skip to content
Threat Feed
medium advisory

Suspicious dMSA Service Account Creation Attempting BadSuccessor Abuse

The creation of a delegated managed service account (dMSA) in specific Active Directory organizational units (OUs) via PowerShell, especially when the initiating user lacks proper permissions, indicates a potential attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025 environments.

This activity focuses on the suspicious creation of delegated managed service accounts (dMSAs) within specific organizational units (OUs) in Active Directory using PowerShell. This technique is associated with attempts to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. The exploitation involves using the New-ADServiceAccount cmdlet with parameters like -CreateDelegatedServiceAccount and -path to create a dMSA in a targeted OU. The risk is amplified when the user initiating the dMSA creation lacks legitimate administrative privileges, pointing towards unauthorized privilege escalation. Defenders should be aware of unusual dMSA creation activities, especially in environments running Windows Server 2025, and monitor for users attempting to manipulate Active Directory objects without proper authorization. This behavior is indicative of lateral movement and persistence attempts post initial compromise.

Attack Chain

  1. Initial Access: An attacker gains initial access to a compromised user account, possibly through phishing or credential theft (T1078.002).
  2. Reconnaissance: The attacker performs reconnaissance to identify vulnerable Active Directory environments and potential target OUs.
  3. Privilege Escalation Preparation: The attacker attempts to create a dMSA service account within a specific OU using PowerShell.
  4. dMSA Creation: The attacker executes the New-ADServiceAccount cmdlet with parameters such as -CreateDelegatedServiceAccount and specifying a -path to a targeted OU.
  5. BadSuccessor Exploitation: The attacker leverages the BadSuccessor vulnerability to manipulate the newly created dMSA, granting themselves elevated privileges.
  6. Persistence: The attacker uses the elevated privileges to establish persistence within the Active Directory environment (T1098).
  7. Lateral Movement: With elevated privileges, the attacker moves laterally to other systems within the domain.
  8. Objective: The ultimate objective could be data exfiltration, deployment of ransomware, or further compromise of critical systems.

Impact

Successful exploitation of the BadSuccessor vulnerability can lead to a complete compromise of the Active Directory domain. An attacker could gain control over sensitive accounts, critical systems, and sensitive data. The impact includes data breaches, service disruptions, and potential financial losses. The risk is especially high in environments running unpatched Windows Server 2025 instances.

Recommendation

  • Deploy the Sigma rule DMSA Service Account Created in Specific OUs - PowerShell to your SIEM to detect suspicious dMSA creation attempts (logsource: ps_script).
  • Monitor PowerShell logs (category: ps_script, product: windows) for the use of New-ADServiceAccount with -CreateDelegatedServiceAccount and -path parameters.
  • Implement strict Active Directory permissioning and regularly audit user privileges to prevent unauthorized dMSA creation.
  • Patch Windows Server 2025 environments to mitigate the BadSuccessor vulnerability referenced in the Akamai blog post (references).

Detection coverage 2

DMSA Service Account Creation in Sensitive OUs - PowerShell

medium

Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs, which can indicate BadSuccessor exploitation.

sigma tactics: initial-access, privilege-escalation techniques: T1078.002 sources: ps_script, windows

PowerShell -ADServiceAccount Cmdlets

low

Detects the use of any -ADServiceAccount cmdlets in powershell

sigma tactics: initial-access, privilege-escalation techniques: T1078.002 sources: ps_script, windows

Detection queries are available on the platform. Get full rules →