title: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
id: 352a918a-34d8-4882-8470-44830c507aa3
status: test
description: |
    Detects when an instance identity has taken an action that isn't inside SSM.
    This can indicate that a compromised EC2 instance is being used as a pivot point.
references:
    - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html
    - https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/
    - https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things
author: jamesc-grafana
date: 2024-07-11
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078
    - attack.t1078.002
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        userIdentity.arn|re: '.+:assumed-role/aws:.+'
    filter_main_generic:
        - eventSource: 'ssm.amazonaws.com'
        - eventName: 'RegisterManagedInstance'
        - sourceIPAddress: 'AWS Internal'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - A team has configured an EC2 instance to use instance profiles that grant the option for the EC2 instance to talk to other AWS Services
level: high

title: DMSA Service Account Created in Specific OUs - PowerShell
id: 02122374-b74e-495c-b285-9e4da973f3d6
related:
    - id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object
      type: similar
    - id: 0ea8db81-2ff6-4525-9448-33bbe7effc13 # Process Creation Detection
      type: similar
status: experimental
description: |
    Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs.
    The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
    It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
    On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
    it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
references:
    - https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078.002
    - attack.t1098
logsource:
    category: ps_script
    product: windows
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'New-ADServiceAccount'
            - '-CreateDelegatedServiceAccount'
            - '-path'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: New DMSA Service Account Created in Specific OUs
id: 0ea8db81-2ff6-4525-9448-33bbe7effc13
related:
    - id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object
      type: similar
    - id: 02122374-b74e-495c-b285-9e4da973f3d6 # ScriptBlockText Detection
      type: similar
status: experimental
description: |
    Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs.
    The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
    It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
    On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
    it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
references:
    - https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078.002
    - attack.t1098
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\powershell_ise.exe'
        - OriginalFileName:
              - 'powershell.exe'
              - 'pwsh.dll'
              - 'powershell_ise.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'New-ADServiceAccount'
            - '-CreateDelegatedServiceAccount'
            - '-path'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Admin User Remote Logon
id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
status: test
description: Detect remote login by Administrator user (depending on internal pattern).
references:
    - https://car.mitre.org/wiki/CAR-2016-04-005
author: juju4
date: 2017-10-29
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.lateral-movement
    - attack.initial-access
    - attack.stealth
    - attack.t1078.001
    - attack.t1078.002
    - attack.t1078.003
    - car.2016-04-005
logsource:
    product: windows
    service: security
    definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
detection:
    selection:
        EventID: 4624
        LogonType: 10
        AuthenticationPackageName: Negotiate
        TargetUserName|startswith: 'Admin'
    condition: selection
falsepositives:
    - Legitimate administrative activity.
level: low

title: DMSA Link Attributes Modified
id: 9b111d8e-92e0-4153-88bc-daefc1333aba
related:
    - id: 6c9eb492-e477-4df9-b0f4-571fc9db29cd # Windows Security Modification of msDS-ManagedAccountPrecededByLink Attribute
      type: similar
status: experimental
description: |
    Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts.
    This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
references:
    - https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.002
    - attack.t1098
logsource:
    category: ps_script
    product: windows
detection:
    selection:
        ScriptBlockText|contains|all:
            - '.Put("msDS-ManagedAccountPrecededByLink'
            - 'CN='
    condition: selection
falsepositives:
    - Legitimate administrative tasks modifying these attributes.
level: low