This detection alerts on the creation of a domain Managed Service Account (dMSA) via the New-ADServiceAccount cmdlet, specifically when using -CreateDelegatedServiceAccount and -path to place the account in a targeted OU. Triggering occurs on Windows process creation events where a PowerShell process (powershell.exe, pwsh.exe, powershell_ise.exe) executes a command line that contains the New-ADServiceAccount call with -CreateDelegatedServiceAccount and -path. The rule requires all of the selected criteria (process image/original file name and the CLI content) to be met. The pattern is considered highly suspicious because it signals potential abuse of delegated service account creation within Active Directory, which could be leveraged for privilege escalation or persistence, and the description frames it in the context of exploiting the BadSuccessor vulnerability in Windows Server 2025. The rule targets specific OUs by the path parameter, and the detection is categorized under Windows process creation events. It is labeled experimental and notes a medium severity. False positives are acknowledged as unknown. This rule is designed to help detect attempts at creating dMSA accounts in privileged contexts, which can be a step in privilege escalation or persistence campaigns targeting Active Directory environments.