Detections target PowerShell-based modifications of a dMSA (Managed Service Account) link attribute, specifically msDS-ManagedAccountPrecededByLink. The rule flags ScriptBlockText that contains a Put call to set msDS-ManagedAccountPrecededByLink with a CN= value. This pattern can indicate an attempt to alter AD trust/link relationships, which could be used to leverage the BadSuccessor privilege escalation vulnerability in Windows Server 2025. The rule is categorized under PS script activity and has a low severity with a noted possibility of false positives from legitimate administrative tasks that modify dMSA link attributes.