<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Attack.t1098 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/attack.t1098/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 14:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/attack.t1098/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious dMSA Service Account Creation Attempting BadSuccessor Abuse</title><link>https://feed.craftedsignal.io/briefs/2024-01-badsuccessor-dmsa/</link><pubDate>Tue, 02 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-badsuccessor-dmsa/</guid><description>The creation of a delegated managed service account (dMSA) in specific Active Directory organizational units (OUs) via PowerShell, especially when the initiating user lacks proper permissions, indicates a potential attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025 environments.</description><content:encoded><![CDATA[<p>This activity focuses on the suspicious creation of delegated managed service accounts (dMSAs) within specific organizational units (OUs) in Active Directory using PowerShell. This technique is associated with attempts to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. The exploitation involves using the <code>New-ADServiceAccount</code> cmdlet with parameters like <code>-CreateDelegatedServiceAccount</code> and <code>-path</code> to create a dMSA in a targeted OU. The risk is amplified when the user initiating the dMSA creation lacks legitimate administrative privileges, pointing towards unauthorized privilege escalation. Defenders should be aware of unusual dMSA creation activities, especially in environments running Windows Server 2025, and monitor for users attempting to manipulate Active Directory objects without proper authorization. This behavior is indicative of lateral movement and persistence attempts post initial compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: An attacker gains initial access to a compromised user account, possibly through phishing or credential theft (T1078.002).</li>
<li>Reconnaissance: The attacker performs reconnaissance to identify vulnerable Active Directory environments and potential target OUs.</li>
<li>Privilege Escalation Preparation: The attacker attempts to create a dMSA service account within a specific OU using PowerShell.</li>
<li>dMSA Creation: The attacker executes the <code>New-ADServiceAccount</code> cmdlet with parameters such as <code>-CreateDelegatedServiceAccount</code> and specifying a <code>-path</code> to a targeted OU.</li>
<li>BadSuccessor Exploitation: The attacker leverages the BadSuccessor vulnerability to manipulate the newly created dMSA, granting themselves elevated privileges.</li>
<li>Persistence: The attacker uses the elevated privileges to establish persistence within the Active Directory environment (T1098).</li>
<li>Lateral Movement: With elevated privileges, the attacker moves laterally to other systems within the domain.</li>
<li>Objective: The ultimate objective could be data exfiltration, deployment of ransomware, or further compromise of critical systems.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of the BadSuccessor vulnerability can lead to a complete compromise of the Active Directory domain. An attacker could gain control over sensitive accounts, critical systems, and sensitive data. The impact includes data breaches, service disruptions, and potential financial losses. The risk is especially high in environments running unpatched Windows Server 2025 instances.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>DMSA Service Account Created in Specific OUs - PowerShell</code> to your SIEM to detect suspicious dMSA creation attempts (logsource: ps_script).</li>
<li>Monitor PowerShell logs (category: ps_script, product: windows) for the use of <code>New-ADServiceAccount</code> with <code>-CreateDelegatedServiceAccount</code> and <code>-path</code> parameters.</li>
<li>Implement strict Active Directory permissioning and regularly audit user privileges to prevent unauthorized dMSA creation.</li>
<li>Patch Windows Server 2025 environments to mitigate the BadSuccessor vulnerability referenced in the Akamai blog post (references).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>attack.privilege-escalation</category><category>attack.initial-access</category><category>attack.defense-evasion</category><category>attack.persistence</category><category>attack.t1078.002</category><category>attack.t1098</category></item></channel></rss>