<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Dmsa - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/dmsa/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 31 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/dmsa/feed.xml" rel="self" type="application/rss+xml"/><item><title>Potential DMSA Abuse for Privilege Escalation</title><link>https://feed.craftedsignal.io/briefs/2024-01-31-dmsa-abuse/</link><pubDate>Wed, 31 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-31-dmsa-abuse/</guid><description>Detection of potential abuse of Default Message Security Agent (DMSA) for privilege escalation on Windows systems, based on registry modifications.</description><content:encoded><![CDATA[<p>This brief addresses the potential for privilege escalation on Windows systems through the abuse of the Default Message Security Agent (DMSA). While the specific exploit details are not provided in this source, it's important to monitor for suspicious registry modifications related to DMSA that could indicate an attempt to elevate privileges. The observed behavior involves changes to registry keys associated with DMSA, potentially redirecting or modifying its execution path to inject malicious code. Defenders should be aware of any unauthorized modifications to DMSA-related registry settings as these could lead to complete system compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains initial access to the system (details not specified).</li>
<li>Attacker identifies the DMSA registry keys used to control the execution path.</li>
<li>Attacker modifies the registry key <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DMSAgent</code> to point to a malicious executable.</li>
<li>The malicious executable is crafted to perform privileged actions.</li>
<li>The attacker triggers the DMSA service, either directly or indirectly through a system event.</li>
<li>The DMSA service executes the malicious executable with elevated privileges.</li>
<li>The attacker gains control of the system with the privileges of the DMSA service account.</li>
<li>The attacker performs further actions such as installing backdoors or exfiltrating data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of DMSA can lead to complete system compromise. An attacker who successfully escalates privileges can gain full control of the affected machine, allowing them to install malware, steal sensitive data, or disrupt critical services. Given the potential for widespread impact, proactive monitoring and detection of suspicious DMSA activity are essential for maintaining the security and integrity of Windows environments.</p>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>privilege-escalation</category><category>windows</category><category>dmsa</category></item><item><title>Suspicious Domain Managed Service Account Creation by Unusual User</title><link>https://feed.craftedsignal.io/briefs/2024-01-dmsa-privesc/</link><pubDate>Tue, 09 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-dmsa-privesc/</guid><description>Detection of a Domain Managed Service Account (DMSA) creation event by a user that typically does not perform this administrative task, potentially indicating privilege escalation or account compromise.</description><content:encoded><![CDATA[<p>This alert focuses on detecting anomalous creation of Domain Managed Service Accounts (DMSAs) within a Windows environment. DMSAs are privileged accounts used to run services and applications. The creation of these accounts should typically be restricted to a small set of administrators. When a user outside of this group creates a DMSA, it could indicate malicious activity such as privilege escalation, lateral movement from a compromised account, or an insider threat. This detection aims to identify unusual DMSA creation events, helping security teams quickly investigate and respond to potential security breaches. The rule is based on identifying deviations from the norm in terms of who is creating these accounts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a low-privilege user account, possibly through phishing or password compromise.</li>
<li>The attacker performs reconnaissance to identify potential privilege escalation paths within the domain.</li>
<li>The attacker attempts to create a DMSA using tools like <code>New-ADServiceAccount</code> PowerShell cmdlet or AD management tools.</li>
<li>The attacker leverages the newly created DMSA to gain elevated privileges within the network.</li>
<li>The attacker uses the compromised DMSA to access sensitive resources or systems.</li>
<li>The attacker may install malware or backdoors on critical systems using the DMSA credentials.</li>
<li>The attacker may then perform lateral movement to compromise additional systems and escalate privileges further.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful DMSA creation by an unauthorized user can lead to significant privilege escalation within the Active Directory domain. This can provide attackers with administrative control over critical systems and data, enabling them to steal sensitive information, disrupt services, and potentially deploy ransomware across the entire organization. The scope of the attack can be broad, potentially affecting all systems and users within the domain.</p>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>privilege-escalation</category><category>active-directory</category><category>dmsa</category></item><item><title>Creation of New DMSA Service Account Potentially Exploiting BadSuccessor Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-08-bad-successor-dmsa/</link><pubDate>Mon, 08 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-08-bad-successor-dmsa/</guid><description>The creation of a new Delegated Managed Service Account (DMSA) within specific Organizational Units (OUs) using the New-ADServiceAccount cmdlet is indicative of potential BadSuccessor privilege escalation attempts in Windows Server 2025 Active Directory environments.</description><content:encoded><![CDATA[<p>The observed activity involves the suspicious creation of a Delegated Managed Service Account (dMSASvc) using the <code>New-ADServiceAccount</code> cmdlet within specific, targeted Organizational Units (OUs) in Windows Server 2025 Active Directory environments. This pattern is strongly associated with attempts to exploit the BadSuccessor vulnerability, a privilege escalation technique. The creation of a DMSA account in a specific OU, especially by a user without legitimate administrative privileges, raises significant concerns. This activity, first highlighted in late 2025, signifies an attacker attempting to gain elevated permissions within the Active Directory domain by abusing the delegation capabilities of DMSA accounts. Defenders should closely monitor for this behavior.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial access to a system within the target domain is achieved, potentially through compromised credentials or exploiting a separate vulnerability.</li>
<li>The attacker leverages PowerShell (powershell.exe or pwsh.exe) to execute commands.</li>
<li>The <code>New-ADServiceAccount</code> cmdlet is invoked with the <code>-CreateDelegatedServiceAccount</code> parameter.</li>
<li>The <code>-Path</code> parameter specifies a target Organizational Unit (OU) within the Active Directory. The specific OU is often chosen based on its existing permissions and delegation configurations.</li>
<li>The command attempts to create a new dMSASvc account within the specified OU.</li>
<li>If successful, the attacker gains control over the newly created dMSASvc account.</li>
<li>The attacker misuses the delegation rights associated with the dMSASvc account to impersonate other users or services.</li>
<li>The attacker escalates privileges and achieves lateral movement within the Active Directory environment, potentially gaining domain administrator access.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of the BadSuccessor vulnerability can lead to complete domain compromise. Attackers can gain control of sensitive accounts, access confidential data, and disrupt critical business operations. The Akamai report highlights the potential for widespread damage, and the focus on Windows Server 2025 indicates a modern attack targeting recent infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;New DMSA Service Account Created in Specific OUs&quot; to your SIEM to detect suspicious DMSA creation activity and tune for your environment.</li>
<li>Monitor process creation logs for PowerShell execution involving the <code>New-ADServiceAccount</code> cmdlet and the <code>-CreateDelegatedServiceAccount</code> parameter.</li>
<li>Review and restrict Active Directory permissions to prevent unauthorized DMSA account creation.</li>
<li>Investigate and remediate any identified instances of unauthorized DMSA account creation.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>privilege-escalation</category><category>active-directory</category><category>bad-successor</category><category>dmsa</category></item></channel></rss>