Bad Successor Detection
Query
// BadSuccessor Detection
// Abusing dMSA to escalate privileges in Active Directory
// https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
let QueryPeriod = 1h;
let dMSARegKey = dynamic(["DelegatedMSAEnabled"]);
let dMSAMonitor =
SecurityEvent
| where TimeGenerated > ago(QueryPeriod)
| where EventID == 307 or // dMSA Migration
EventID == 308 or // dMSA Permission Add
EventID == 309; // dMSA Key Fetch
DeviceRegistryEvents
| where TimeGenerated > ago(QueryPeriod)
| where ActionType == @"RegistryKeyCreated" or ActionType == @"RegistryValueSet"
| where RegistryKey has_any(dMSARegKey)
| union dMSAMonitorExplanation
This query is designed to detect potential abuse of Delegated Managed Service Accounts (dMSA) in Active Directory, which could be used for privilege escalation. Here's a simple breakdown of what the query does:
-
Define a Time Frame: It looks at events that occurred within the last hour (
QueryPeriod = 1h). -
Identify Relevant Registry Keys: It focuses on registry keys related to dMSA, specifically those that have "DelegatedMSAEnabled".
-
Monitor Security Events: It checks for specific security events (Event IDs 307, 308, and 309) that are related to dMSA activities:
- Event ID 307: dMSA Migration
- Event ID 308: dMSA Permission Add
- Event ID 309: dMSA Key Fetch
-
Monitor Registry Changes: It also looks for registry changes, specifically when a registry key is created or a registry value is set, and checks if these changes involve the dMSA-related registry keys.
-
Combine Results: The query combines the results from monitoring security events and registry changes to provide a comprehensive view of potential dMSA abuse activities within the specified time frame.
Overall, this query helps in identifying suspicious activities that might indicate an attempt to escalate privileges in Active Directory by abusing dMSA.
Details

Steven Lim
Released: May 22, 2025
Tables
Keywords
Operators