Skip to content

Hide Navigation Hide TOC

DMSA Link Attributes Modified (9b111d8e-92e0-4153-88bc-daefc1333aba)

Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts. This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.

Cluster A Galaxy A Cluster B Galaxy B Level
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern DMSA Link Attributes Modified (9b111d8e-92e0-4153-88bc-daefc1333aba) Sigma-Rules 1
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern DMSA Link Attributes Modified (9b111d8e-92e0-4153-88bc-daefc1333aba) Sigma-Rules 1
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 2