Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Hour |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An attacker might abuse dMSA account to escalate its privileges.
Attacker's Goals
Attackers may leverage dMSA account migration process to escalate privileges.
Investigative actions
- Confirm that the user is authorized to create and modify dMSA accounts in the domain.
- Verify the user should have permissions on the OU under which the dMSA account was created.
- Validate that the dMSA account should be created under the OU that appeared in the log (use the GUID).
- Verify that the user superseded an account, with the dMSA account, that should have superseded.
- Check the GUID of the dMSA object to get the account itself (can be viewed also in computer account creation event).
- Check what is the superseded account in the attribute 'msDS-ManagedAccountPrecededByLink' of the dMSA object.
- Investigate the host that initiated the dMSA account migration process for malicious activity.