IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Delegated Managed Service Account Modification by an Unusual User AWS Access Token Used from Multiple Addresses »

› ›

dMSA Account Creation by an Unusual User

edit

A newer version is available. Check out the latest documentation.

dMSA Account Creation by an Unusual User

edit

Detects the creation of a delegated Managed Service Account by an unusual subject account. Attackers can abuse the dMSA account migration feature to elevate privileges abusing weak persmission allowing users child objects rights or msDS-DelegatedManagedServiceAccount rights.

Rule type: new_terms

Rule indices:

winlogbeat-*
logs-system.security*
logs-windows.forwarded*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Use Case: Active Directory Monitoring
Data Source: Active Directory
Data Source: Windows Security Event Logs
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating dMSA Account Creation by an Unusual User

Possible investigation steps

Examine the winlog.event_data.SubjectUserName field and verify if he is allowed and used to create dMSA accounts.
Examine all Active Directory modifications performed by the winlog.event_data.SubjectUserName.
Investigate the history of the identified user account to determine if there are any other suspicious activities or patterns of behavior.
Collaborate with the IT or security team to determine if the changes were authorized or if further action is needed to secure the environment.

False positive analysis

Migration of legacy service accounts using delegated managed service account.

Response and remediation

Immediately disable the winlog.event_data.SubjectUserName account and revert all changes performed by that account.
Identify and isolate the source machines from where the SubjectUserName is authenticating.
Reset passwords for all accounts that were potentially affected or had their permissions altered, focusing on privileged accounts to prevent adversaries from regaining access.
Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach, including identifying any other compromised systems or accounts.
Review and update access control policies and security configurations to prevent similar attacks, ensuring that only authorized personnel have the ability to modify critical Active Directory objects or create OU child objects.

Rule query

edit

event.code:5137 and winlog.event_data.ObjectClass:"msDS-DelegatedManagedServiceAccount"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Sub-technique:
- Name: Domain Accounts
- ID: T1078.002
- Reference URL: https://attack.mitre.org/techniques/T1078/002/
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/

« Delegated Managed Service Account Modification by an Unusual User AWS Access Token Used from Multiple Addresses »