Potential Shadow Credentials added to AD Object

The “Shadow Credentials” attack involves manipulating the msDS-KeyCredentialLink attribute in Active Directory (AD) to gain unauthorized access to user or computer accounts. Attackers can create a key pair, append the raw public key to the attribute, and authenticate as the target object. This technique allows for persistent and stealthy access, as it leverages Kerberos key trust account mapping. The original detection rule was created in January 2022 and last updated in April 2026. This attack abuses control over an object to create the shadow credentials. Defenders should monitor for modifications to the msDS-KeyCredentialLink attribute, especially those not associated with legitimate Azure AD Connect or ADFS provisioning.

Attack Chain

1. Initial Access: Attacker gains initial access to a system with sufficient privileges to modify Active Directory objects.
2. Discovery: The attacker identifies a target user or computer object within Active Directory to compromise.
3. Credential Access: The attacker generates a new key pair.
4. Privilege Escalation: The attacker modifies the msDS-KeyCredentialLink attribute of the target object to include the attacker’s public key. This requires specific permissions on the target object.
5. Persistence: The attacker uses the private key to authenticate as the target object, bypassing normal authentication mechanisms.
6. Lateral Movement: The attacker uses the compromised account to move laterally within the network, accessing resources and systems.
7. Impact: The attacker achieves their objective, such as data exfiltration, system compromise, or further privilege escalation.

Impact

Successful exploitation allows attackers to maintain persistent and stealthy access to Active Directory objects, potentially compromising sensitive accounts and resources. Shadow Credentials can be used to bypass multi-factor authentication and other security controls, leading to significant data breaches or system-wide compromises. Without proper monitoring and alerting, these attacks can remain undetected for extended periods.

Recommendation

• Enable and monitor Windows Security Event Logs, specifically event ID 5136, for modifications to the msDS-KeyCredentialLink attribute as described in the rule description.
• Deploy the provided Sigma rule to your SIEM to detect suspicious modifications to the msDS-KeyCredentialLink attribute, and tune for your environment.
• Implement strict access controls and auditing on Active Directory objects, particularly those with sensitive privileges, to prevent unauthorized modifications.
• Investigate any alerts generated by the Sigma rule by examining the winlog.event_data.ObjectDN, winlog.event_data.SubjectUserName, and winlog.event_data.AttributeValue fields to determine the legitimacy of the changes.
• Follow the triage and analysis steps in the rule’s note field to investigate alerts.