Suspicious dMSA Service Account Creation via PowerShell
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Identifies creation of dMSA accounts using PowerShell, potentially indicating privilege escalation or misuse of AD delegation mechanisms.
Severity
Attention
Rule Requirement
Criteria
Action1:
actionname = "PowerShell Script Block Logged" AND (SCRIPTEXECUTED contains "New-ADServiceAccount" AND SCRIPTEXECUTED contains "-CreateDelegatedServiceAccount" AND SCRIPTEXECUTED contains "-path")
select Action1.HOSTNAME,Action1.MESSAGE,Action1.SCRIPTEXECUTED,Action1.DOMAIN,Action1.PATH,Action1.USERNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@Swachchhanda Shrawan Poudel (Nextron Systems)


