This rule is designed to detect the creation of a delegated Managed Service Account (dMSA) by unusual or unauthorized user accounts, an activity that could indicate an attempted privilege escalation attack in a Windows Active Directory environment. Attackers may exploit the dMSA account migration feature to gain elevated rights, particularly by utilizing weak permissions related to child objects or specific permissions associated with msDS-DelegatedManagedServiceAccount. The rule uses KQL to query Windows security events, specifically looking for event code 5137 related to dMSA accounts, and applies to logs from sources like winlogbeat and system security logs. Investigative actions are prompted to confirm whether the account attempting to create the dMSA has legitimate rights, alongside further querying for a history of modifications they have made. Moreover, a high severity risk score indicates that any detection should lead to immediate containment measures including disabling the suspicious account, reverting changes, and escalating incidents for further investigation. The rule aligns with MITRE ATT&CK techniques for account manipulation and valid accounts, reinforcing the importance of consistent monitoring and control over Active Directory changes.