heroui logo

Delegated Managed Service Account Modification by an Unusual User

Elastic Detection Rules

View Source
Summary
The detection rule monitors for changes to the msDS-ManagedAccountPrecededByLink attribute of a delegated managed service account (dMSA) performed by unusual user accounts. Attackers exploit this attribute to usurp privileges associated with target accounts, facilitating further privilege escalation. The rule utilizes logs from Windows-based systems and employs the KQL (Kusto Query Language) for its logic. High-risk events are captured, indicating possible unauthorized alterations by suspects that could lead to privilege infiltration. Detailed investigation steps advise verification of the modifying user's authorization, analysis of affected accounts, and remedial actions including account disabling and collaboration with security teams. The threat landscape involves tactics associated with the MITRE ATT&CK framework, specifically targeting account manipulation and exploitation of valid accounts.
Categories
  • Endpoint
  • Windows
  • Identity Management
  • Cloud
Data Sources
  • Active Directory
  • Windows Registry
  • Windows Registry
  • Windows Registry
ATT&CK Techniques
  • T1078
  • T1078.002
  • T1098
Created: 2025-05-23