{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/adfs/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory","Azure AD Connect","ADFS"],"_cs_severities":["high"],"_cs_tags":["credential-access","shadow-credentials","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe \u0026ldquo;Shadow Credentials\u0026rdquo; attack involves manipulating the \u003ccode\u003emsDS-KeyCredentialLink\u003c/code\u003e attribute in Active Directory (AD) to gain unauthorized access to user or computer accounts. Attackers can create a key pair, append the raw public key to the attribute, and authenticate as the target object. This technique allows for persistent and stealthy access, as it leverages Kerberos key trust account mapping. The original detection rule was created in January 2022 and last updated in April 2026. This attack abuses control over an object to create the shadow credentials. Defenders should monitor for modifications to the \u003ccode\u003emsDS-KeyCredentialLink\u003c/code\u003e attribute, especially those not associated with legitimate Azure AD Connect or ADFS provisioning.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Attacker gains initial access to a system with sufficient privileges to modify Active Directory objects.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker identifies a target user or computer object within Active Directory to compromise.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker generates a new key pair.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker modifies the \u003ccode\u003emsDS-KeyCredentialLink\u003c/code\u003e attribute of the target object to include the attacker\u0026rsquo;s public key. This requires specific permissions on the target object.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker uses the private key to authenticate as the target object, bypassing normal authentication mechanisms.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised account to move laterally within the network, accessing resources and systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objective, such as data exfiltration, system compromise, or further privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent and stealthy access to Active Directory objects, potentially compromising sensitive accounts and resources. Shadow Credentials can be used to bypass multi-factor authentication and other security controls, leading to significant data breaches or system-wide compromises. Without proper monitoring and alerting, these attacks can remain undetected for extended periods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Windows Security Event Logs, specifically event ID 5136, for modifications to the \u003ccode\u003emsDS-KeyCredentialLink\u003c/code\u003e attribute as described in the rule description.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious modifications to the \u003ccode\u003emsDS-KeyCredentialLink\u003c/code\u003e attribute, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and auditing on Active Directory objects, particularly those with sensitive privileges, to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the \u003ccode\u003ewinlog.event_data.ObjectDN\u003c/code\u003e, \u003ccode\u003ewinlog.event_data.SubjectUserName\u003c/code\u003e, and \u003ccode\u003ewinlog.event_data.AttributeValue\u003c/code\u003e fields to determine the legitimacy of the changes.\u003c/li\u003e\n\u003cli\u003eFollow the triage and analysis steps in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field to investigate alerts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:57:22Z","date_published":"2024-01-03T14:57:22Z","id":"/briefs/2024-01-shadow-credentials/","summary":"This rule detects the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object, which could indicate an attacker is creating shadow credentials to gain persistent and stealthy access.","title":"Potential Shadow Credentials added to AD Object","url":"https://feed.craftedsignal.io/briefs/2024-01-shadow-credentials/"}],"language":"en","title":"CraftedSignal Threat Feed — ADFS","version":"https://jsonfeed.org/version/1.1"}