Logs-Windows.forwarded* — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/logs-windows.forwarded/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 12 May 2026 19:00:13 +0000Unusual dMSA Account Creation for Privilege Escalationhttps://feed.craftedsignal.io/briefs/2026-05-dmsa-creation/Tue, 12 May 2026 19:00:13 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-dmsa-creation/Detects the creation of a delegated Managed Service Account (dMSA) by an unusual subject account, potentially indicating an attempt to abuse weak permissions for privilege escalation in Active Directory.This detection rule identifies the creation of delegated Managed Service Accounts (dMSAs) by accounts that are not typically associated with such actions. Attackers can exploit misconfigured permissions, specifically weak child-object or msDS-DelegatedManagedServiceAccount rights, during account migration processes to elevate their privileges within an Active Directory environment. This technique allows adversaries to gain control over sensitive resources and compromise the overall security of the domain. The detection focuses on Windows systems where Active Directory is deployed. The rule leverages Windows Security Event Logs to identify suspicious dMSA creation events. Defenders should investigate any detected instances of unusual dMSA creation, as they may indicate malicious activity.

Attack Chain

  1. The attacker gains initial access to a low-privileged account within the Active Directory domain.
  2. The attacker identifies an opportunity to abuse weak permissions related to dMSA creation, focusing on child-object or msDS-DelegatedManagedServiceAccount rights.
  3. The attacker uses the compromised account to create a new msDS-DelegatedManagedServiceAccount object within Active Directory. This is logged as event ID 5137.
  4. The attacker modifies attributes of the newly created dMSA object to link it to a privileged predecessor or advance its migration state. These modifications generate event ID 5136.
  5. The attacker assigns Service Principal Names (SPNs) to the dMSA, enabling it to authenticate to services within the domain.
  6. The attacker configures delegation settings on the dMSA, granting it the ability to impersonate other users or services.
  7. The attacker adds the dMSA to privileged groups, further escalating its privileges within the domain.
  8. The attacker uses the compromised dMSA to access sensitive resources and perform unauthorized actions.

Impact

Successful exploitation can lead to significant privilege escalation within the Active Directory domain. An attacker could gain control over critical systems, access sensitive data, and potentially compromise the entire domain infrastructure. This can result in data breaches, financial losses, and reputational damage. The number of affected systems depends on the scope of the attacker’s access and the criticality of the compromised resources.

Recommendation

  • Enable Audit Directory Service Changes to generate the necessary Windows Security Event Logs for detection (reference: Setup section in rule content).
  • Deploy the provided Sigma rule to your SIEM to detect unusual dMSA creation events (reference: rules section below).
  • Investigate any alerts generated by the Sigma rule, focusing on the ObjectDN, SubjectUserName, and related 5136 events to determine if the dMSA creation is legitimate (reference: rule description and note sections).
  • Monitor for event ID 5136 related to msDS-ManagedAccountPrecededByLink, msDS-DelegatedMSAState, SPNs, delegation attributes, or gMSA membership on newly created dMSAs (reference: note section).
]]>highadvisoryprivilege-escalationwindows