{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/bad-successor/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows Server","Active Directory"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","active-directory","bad-successor","dmsa"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe observed activity involves the suspicious creation of a Delegated Managed Service Account (dMSASvc) using the \u003ccode\u003eNew-ADServiceAccount\u003c/code\u003e cmdlet within specific, targeted Organizational Units (OUs) in Windows Server 2025 Active Directory environments. This pattern is strongly associated with attempts to exploit the BadSuccessor vulnerability, a privilege escalation technique. The creation of a DMSA account in a specific OU, especially by a user without legitimate administrative privileges, raises significant concerns. This activity, first highlighted in late 2025, signifies an attacker attempting to gain elevated permissions within the Active Directory domain by abusing the delegation capabilities of DMSA accounts. Defenders should closely monitor for this behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to a system within the target domain is achieved, potentially through compromised credentials or exploiting a separate vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell (powershell.exe or pwsh.exe) to execute commands.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eNew-ADServiceAccount\u003c/code\u003e cmdlet is invoked with the \u003ccode\u003e-CreateDelegatedServiceAccount\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e-Path\u003c/code\u003e parameter specifies a target Organizational Unit (OU) within the Active Directory. The specific OU is often chosen based on its existing permissions and delegation configurations.\u003c/li\u003e\n\u003cli\u003eThe command attempts to create a new dMSASvc account within the specified OU.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains control over the newly created dMSASvc account.\u003c/li\u003e\n\u003cli\u003eThe attacker misuses the delegation rights associated with the dMSASvc account to impersonate other users or services.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges and achieves lateral movement within the Active Directory environment, potentially gaining domain administrator access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the BadSuccessor vulnerability can lead to complete domain compromise. Attackers can gain control of sensitive accounts, access confidential data, and disrupt critical business operations. The Akamai report highlights the potential for widespread damage, and the focus on Windows Server 2025 indicates a modern attack targeting recent infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;New DMSA Service Account Created in Specific OUs\u0026quot; to your SIEM to detect suspicious DMSA creation activity and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation logs for PowerShell execution involving the \u003ccode\u003eNew-ADServiceAccount\u003c/code\u003e cmdlet and the \u003ccode\u003e-CreateDelegatedServiceAccount\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eReview and restrict Active Directory permissions to prevent unauthorized DMSA account creation.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any identified instances of unauthorized DMSA account creation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T15:00:00Z","date_published":"2024-01-08T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-08-bad-successor-dmsa/","summary":"The creation of a new Delegated Managed Service Account (DMSA) within specific Organizational Units (OUs) using the New-ADServiceAccount cmdlet is indicative of potential BadSuccessor privilege escalation attempts in Windows Server 2025 Active Directory environments.","title":"Creation of New DMSA Service Account Potentially Exploiting BadSuccessor Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-08-bad-successor-dmsa/"}],"language":"en","title":"CraftedSignal Threat Feed - Bad-Successor","version":"https://jsonfeed.org/version/1.1"}