<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Bad-Successor - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/bad-successor/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 08 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/bad-successor/feed.xml" rel="self" type="application/rss+xml"/><item><title>Creation of New DMSA Service Account Potentially Exploiting BadSuccessor Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-08-bad-successor-dmsa/</link><pubDate>Mon, 08 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-08-bad-successor-dmsa/</guid><description>The creation of a new Delegated Managed Service Account (DMSA) within specific Organizational Units (OUs) using the New-ADServiceAccount cmdlet is indicative of potential BadSuccessor privilege escalation attempts in Windows Server 2025 Active Directory environments.</description><content:encoded><![CDATA[<p>The observed activity involves the suspicious creation of a Delegated Managed Service Account (dMSASvc) using the <code>New-ADServiceAccount</code> cmdlet within specific, targeted Organizational Units (OUs) in Windows Server 2025 Active Directory environments. This pattern is strongly associated with attempts to exploit the BadSuccessor vulnerability, a privilege escalation technique. The creation of a DMSA account in a specific OU, especially by a user without legitimate administrative privileges, raises significant concerns. This activity, first highlighted in late 2025, signifies an attacker attempting to gain elevated permissions within the Active Directory domain by abusing the delegation capabilities of DMSA accounts. Defenders should closely monitor for this behavior.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial access to a system within the target domain is achieved, potentially through compromised credentials or exploiting a separate vulnerability.</li>
<li>The attacker leverages PowerShell (powershell.exe or pwsh.exe) to execute commands.</li>
<li>The <code>New-ADServiceAccount</code> cmdlet is invoked with the <code>-CreateDelegatedServiceAccount</code> parameter.</li>
<li>The <code>-Path</code> parameter specifies a target Organizational Unit (OU) within the Active Directory. The specific OU is often chosen based on its existing permissions and delegation configurations.</li>
<li>The command attempts to create a new dMSASvc account within the specified OU.</li>
<li>If successful, the attacker gains control over the newly created dMSASvc account.</li>
<li>The attacker misuses the delegation rights associated with the dMSASvc account to impersonate other users or services.</li>
<li>The attacker escalates privileges and achieves lateral movement within the Active Directory environment, potentially gaining domain administrator access.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of the BadSuccessor vulnerability can lead to complete domain compromise. Attackers can gain control of sensitive accounts, access confidential data, and disrupt critical business operations. The Akamai report highlights the potential for widespread damage, and the focus on Windows Server 2025 indicates a modern attack targeting recent infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;New DMSA Service Account Created in Specific OUs&quot; to your SIEM to detect suspicious DMSA creation activity and tune for your environment.</li>
<li>Monitor process creation logs for PowerShell execution involving the <code>New-ADServiceAccount</code> cmdlet and the <code>-CreateDelegatedServiceAccount</code> parameter.</li>
<li>Review and restrict Active Directory permissions to prevent unauthorized DMSA account creation.</li>
<li>Investigate and remediate any identified instances of unauthorized DMSA account creation.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>privilege-escalation</category><category>active-directory</category><category>bad-successor</category><category>dmsa</category></item></channel></rss>