{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-server-2025/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Active Directory","Windows Server 2025"],"_cs_severities":["medium"],"_cs_tags":["attack.privilege-escalation","attack.initial-access","attack.defense-evasion","attack.persistence","attack.t1078.002","attack.t1098"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis activity focuses on the suspicious creation of delegated managed service accounts (dMSAs) within specific organizational units (OUs) in Active Directory using PowerShell. This technique is associated with attempts to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. The exploitation involves using the \u003ccode\u003eNew-ADServiceAccount\u003c/code\u003e cmdlet with parameters like \u003ccode\u003e-CreateDelegatedServiceAccount\u003c/code\u003e and \u003ccode\u003e-path\u003c/code\u003e to create a dMSA in a targeted OU. The risk is amplified when the user initiating the dMSA creation lacks legitimate administrative privileges, pointing towards unauthorized privilege escalation. Defenders should be aware of unusual dMSA creation activities, especially in environments running Windows Server 2025, and monitor for users attempting to manipulate Active Directory objects without proper authorization. This behavior is indicative of lateral movement and persistence attempts post initial compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a compromised user account, possibly through phishing or credential theft (T1078.002).\u003c/li\u003e\n\u003cli\u003eReconnaissance: The attacker performs reconnaissance to identify vulnerable Active Directory environments and potential target OUs.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation Preparation: The attacker attempts to create a dMSA service account within a specific OU using PowerShell.\u003c/li\u003e\n\u003cli\u003edMSA Creation: The attacker executes the \u003ccode\u003eNew-ADServiceAccount\u003c/code\u003e cmdlet with parameters such as \u003ccode\u003e-CreateDelegatedServiceAccount\u003c/code\u003e and specifying a \u003ccode\u003e-path\u003c/code\u003e to a targeted OU.\u003c/li\u003e\n\u003cli\u003eBadSuccessor Exploitation: The attacker leverages the BadSuccessor vulnerability to manipulate the newly created dMSA, granting themselves elevated privileges.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker uses the elevated privileges to establish persistence within the Active Directory environment (T1098).\u003c/li\u003e\n\u003cli\u003eLateral Movement: With elevated privileges, the attacker moves laterally to other systems within the domain.\u003c/li\u003e\n\u003cli\u003eObjective: The ultimate objective could be data exfiltration, deployment of ransomware, or further compromise of critical systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the BadSuccessor vulnerability can lead to a complete compromise of the Active Directory domain. An attacker could gain control over sensitive accounts, critical systems, and sensitive data. The impact includes data breaches, service disruptions, and potential financial losses. The risk is especially high in environments running unpatched Windows Server 2025 instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDMSA Service Account Created in Specific OUs - PowerShell\u003c/code\u003e to your SIEM to detect suspicious dMSA creation attempts (logsource: ps_script).\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell logs (category: ps_script, product: windows) for the use of \u003ccode\u003eNew-ADServiceAccount\u003c/code\u003e with \u003ccode\u003e-CreateDelegatedServiceAccount\u003c/code\u003e and \u003ccode\u003e-path\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eImplement strict Active Directory permissioning and regularly audit user privileges to prevent unauthorized dMSA creation.\u003c/li\u003e\n\u003cli\u003ePatch Windows Server 2025 environments to mitigate the BadSuccessor vulnerability referenced in the Akamai blog post (references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:30:00Z","date_published":"2024-01-02T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-badsuccessor-dmsa/","summary":"The creation of a delegated managed service account (dMSA) in specific Active Directory organizational units (OUs) via PowerShell, especially when the initiating user lacks proper permissions, indicates a potential attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025 environments.","title":"Suspicious dMSA Service Account Creation Attempting BadSuccessor Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-badsuccessor-dmsa/"}],"language":"en","title":"CraftedSignal Threat Feed - Windows Server 2025","version":"https://jsonfeed.org/version/1.1"}