This rule detects the creation of a dMSA (delegated Managed Service Account) using the New-ADServiceAccount PowerShell cmdlet, specifically when used with the -CreateDelegatedServiceAccount and -path parameters to place the account in a designated OU. Creating a dMSA in a controlled OU can be legitimate, but the combination of creating a dMSA via a delegated-service-account flag and targeting a particular OU is highly suspicious because it can enable privilege escalation or persistence, particularly in the context of Windows Server 2025 BaDSuccessor-related abuse patterns. The detection logic requires the PowerShell ScriptBlock to contain all of the following tokens: New-ADServiceAccount, -CreateDelegatedServiceAccount, and -path, indicating an automated, potentially attack-time operation rather than a routine administrative task. The rule is marked as experimental and is aligned with indicators of credential abuse, privilege escalation, and persistence in Active Directory environments. References point to exploitation patterns around the Bad-Successor vulnerability. The rule operates on Windows PowerShell script content (ps_script) and is tuned to flag suspicious AD service account provisioning activity that could be leveraged for later unauthorized access or privilege escalation.