{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dmsa/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","windows","dmsa"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief addresses the potential for privilege escalation on Windows systems through the abuse of the Default Message Security Agent (DMSA). While the specific exploit details are not provided in this source, it's important to monitor for suspicious registry modifications related to DMSA that could indicate an attempt to elevate privileges. The observed behavior involves changes to registry keys associated with DMSA, potentially redirecting or modifying its execution path to inject malicious code. Defenders should be aware of any unauthorized modifications to DMSA-related registry settings as these could lead to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system (details not specified).\u003c/li\u003e\n\u003cli\u003eAttacker identifies the DMSA registry keys used to control the execution path.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the registry key \u003ccode\u003eHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DMSAgent\u003c/code\u003e to point to a malicious executable.\u003c/li\u003e\n\u003cli\u003eThe malicious executable is crafted to perform privileged actions.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the DMSA service, either directly or indirectly through a system event.\u003c/li\u003e\n\u003cli\u003eThe DMSA service executes the malicious executable with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the system with the privileges of the DMSA service account.\u003c/li\u003e\n\u003cli\u003eThe attacker performs further actions such as installing backdoors or exfiltrating data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of DMSA can lead to complete system compromise. An attacker who successfully escalates privileges can gain full control of the affected machine, allowing them to install malware, steal sensitive data, or disrupt critical services. Given the potential for widespread impact, proactive monitoring and detection of suspicious DMSA activity are essential for maintaining the security and integrity of Windows environments.\u003c/p\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-31-dmsa-abuse/","summary":"Detection of potential abuse of Default Message Security Agent (DMSA) for privilege escalation on Windows systems, based on registry modifications.","title":"Potential DMSA Abuse for Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-31-dmsa-abuse/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows Server","Active Directory"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","active-directory","dmsa"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert focuses on detecting anomalous creation of Domain Managed Service Accounts (DMSAs) within a Windows environment. DMSAs are privileged accounts used to run services and applications. The creation of these accounts should typically be restricted to a small set of administrators. When a user outside of this group creates a DMSA, it could indicate malicious activity such as privilege escalation, lateral movement from a compromised account, or an insider threat. This detection aims to identify unusual DMSA creation events, helping security teams quickly investigate and respond to potential security breaches. The rule is based on identifying deviations from the norm in terms of who is creating these accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a low-privilege user account, possibly through phishing or password compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance to identify potential privilege escalation paths within the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to create a DMSA using tools like \u003ccode\u003eNew-ADServiceAccount\u003c/code\u003e PowerShell cmdlet or AD management tools.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly created DMSA to gain elevated privileges within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised DMSA to access sensitive resources or systems.\u003c/li\u003e\n\u003cli\u003eThe attacker may install malware or backdoors on critical systems using the DMSA credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker may then perform lateral movement to compromise additional systems and escalate privileges further.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful DMSA creation by an unauthorized user can lead to significant privilege escalation within the Active Directory domain. This can provide attackers with administrative control over critical systems and data, enabling them to steal sensitive information, disrupt services, and potentially deploy ransomware across the entire organization. The scope of the attack can be broad, potentially affecting all systems and users within the domain.\u003c/p\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-dmsa-privesc/","summary":"Detection of a Domain Managed Service Account (DMSA) creation event by a user that typically does not perform this administrative task, potentially indicating privilege escalation or account compromise.","title":"Suspicious Domain Managed Service Account Creation by Unusual User","url":"https://feed.craftedsignal.io/briefs/2024-01-dmsa-privesc/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows Server","Active Directory"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","active-directory","bad-successor","dmsa"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe observed activity involves the suspicious creation of a Delegated Managed Service Account (dMSASvc) using the \u003ccode\u003eNew-ADServiceAccount\u003c/code\u003e cmdlet within specific, targeted Organizational Units (OUs) in Windows Server 2025 Active Directory environments. This pattern is strongly associated with attempts to exploit the BadSuccessor vulnerability, a privilege escalation technique. The creation of a DMSA account in a specific OU, especially by a user without legitimate administrative privileges, raises significant concerns. This activity, first highlighted in late 2025, signifies an attacker attempting to gain elevated permissions within the Active Directory domain by abusing the delegation capabilities of DMSA accounts. Defenders should closely monitor for this behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to a system within the target domain is achieved, potentially through compromised credentials or exploiting a separate vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell (powershell.exe or pwsh.exe) to execute commands.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eNew-ADServiceAccount\u003c/code\u003e cmdlet is invoked with the \u003ccode\u003e-CreateDelegatedServiceAccount\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e-Path\u003c/code\u003e parameter specifies a target Organizational Unit (OU) within the Active Directory. The specific OU is often chosen based on its existing permissions and delegation configurations.\u003c/li\u003e\n\u003cli\u003eThe command attempts to create a new dMSASvc account within the specified OU.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains control over the newly created dMSASvc account.\u003c/li\u003e\n\u003cli\u003eThe attacker misuses the delegation rights associated with the dMSASvc account to impersonate other users or services.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges and achieves lateral movement within the Active Directory environment, potentially gaining domain administrator access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the BadSuccessor vulnerability can lead to complete domain compromise. Attackers can gain control of sensitive accounts, access confidential data, and disrupt critical business operations. The Akamai report highlights the potential for widespread damage, and the focus on Windows Server 2025 indicates a modern attack targeting recent infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;New DMSA Service Account Created in Specific OUs\u0026quot; to your SIEM to detect suspicious DMSA creation activity and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation logs for PowerShell execution involving the \u003ccode\u003eNew-ADServiceAccount\u003c/code\u003e cmdlet and the \u003ccode\u003e-CreateDelegatedServiceAccount\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eReview and restrict Active Directory permissions to prevent unauthorized DMSA account creation.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any identified instances of unauthorized DMSA account creation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T15:00:00Z","date_published":"2024-01-08T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-08-bad-successor-dmsa/","summary":"The creation of a new Delegated Managed Service Account (DMSA) within specific Organizational Units (OUs) using the New-ADServiceAccount cmdlet is indicative of potential BadSuccessor privilege escalation attempts in Windows Server 2025 Active Directory environments.","title":"Creation of New DMSA Service Account Potentially Exploiting BadSuccessor Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-08-bad-successor-dmsa/"}],"language":"en","title":"CraftedSignal Threat Feed - Dmsa","version":"https://jsonfeed.org/version/1.1"}