Suspicious Domain Managed Service Account Creation by Unusual User
Detection of a Domain Managed Service Account (DMSA) creation event by a user that typically does not perform this administrative task, potentially indicating privilege escalation or account compromise.
This alert focuses on detecting anomalous creation of Domain Managed Service Accounts (DMSAs) within a Windows environment. DMSAs are privileged accounts used to run services and applications. The creation of these accounts should typically be restricted to a small set of administrators. When a user outside of this group creates a DMSA, it could indicate malicious activity such as privilege escalation, lateral movement from a compromised account, or an insider threat. This detection aims to identify unusual DMSA creation events, helping security teams quickly investigate and respond to potential security breaches. The rule is based on identifying deviations from the norm in terms of who is creating these accounts.
Attack Chain
- An attacker gains initial access to a low-privilege user account, possibly through phishing or password compromise.
- The attacker performs reconnaissance to identify potential privilege escalation paths within the domain.
- The attacker attempts to create a DMSA using tools like
New-ADServiceAccountPowerShell cmdlet or AD management tools. - The attacker leverages the newly created DMSA to gain elevated privileges within the network.
- The attacker uses the compromised DMSA to access sensitive resources or systems.
- The attacker may install malware or backdoors on critical systems using the DMSA credentials.
- The attacker may then perform lateral movement to compromise additional systems and escalate privileges further.
Impact
A successful DMSA creation by an unauthorized user can lead to significant privilege escalation within the Active Directory domain. This can provide attackers with administrative control over critical systems and data, enabling them to steal sensitive information, disrupt services, and potentially deploy ransomware across the entire organization. The scope of the attack can be broad, potentially affecting all systems and users within the domain.
Detection coverage 2
DMSA Creation by Unusual User via PowerShell
highDetects the creation of a Domain Managed Service Account (DMSA) using PowerShell by a user that is not typically associated with this activity.
DMSA Creation Event via AD Management Tools
highDetects events related to the creation of a Domain Managed Service Account (DMSA) through standard Active Directory management tools executed by an unusual user.
Detection queries are available on the platform. Get full rules →