{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/azure-ad-connect/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory","Azure AD Connect","ADFS"],"_cs_severities":["high"],"_cs_tags":["credential-access","shadow-credentials","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe \u0026ldquo;Shadow Credentials\u0026rdquo; attack involves manipulating the \u003ccode\u003emsDS-KeyCredentialLink\u003c/code\u003e attribute in Active Directory (AD) to gain unauthorized access to user or computer accounts. Attackers can create a key pair, append the raw public key to the attribute, and authenticate as the target object. This technique allows for persistent and stealthy access, as it leverages Kerberos key trust account mapping. The original detection rule was created in January 2022 and last updated in April 2026. This attack abuses control over an object to create the shadow credentials. Defenders should monitor for modifications to the \u003ccode\u003emsDS-KeyCredentialLink\u003c/code\u003e attribute, especially those not associated with legitimate Azure AD Connect or ADFS provisioning.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Attacker gains initial access to a system with sufficient privileges to modify Active Directory objects.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker identifies a target user or computer object within Active Directory to compromise.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker generates a new key pair.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker modifies the \u003ccode\u003emsDS-KeyCredentialLink\u003c/code\u003e attribute of the target object to include the attacker\u0026rsquo;s public key. This requires specific permissions on the target object.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker uses the private key to authenticate as the target object, bypassing normal authentication mechanisms.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised account to move laterally within the network, accessing resources and systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objective, such as data exfiltration, system compromise, or further privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to maintain persistent and stealthy access to Active Directory objects, potentially compromising sensitive accounts and resources. Shadow Credentials can be used to bypass multi-factor authentication and other security controls, leading to significant data breaches or system-wide compromises. Without proper monitoring and alerting, these attacks can remain undetected for extended periods.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Windows Security Event Logs, specifically event ID 5136, for modifications to the \u003ccode\u003emsDS-KeyCredentialLink\u003c/code\u003e attribute as described in the rule description.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious modifications to the \u003ccode\u003emsDS-KeyCredentialLink\u003c/code\u003e attribute, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and auditing on Active Directory objects, particularly those with sensitive privileges, to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the \u003ccode\u003ewinlog.event_data.ObjectDN\u003c/code\u003e, \u003ccode\u003ewinlog.event_data.SubjectUserName\u003c/code\u003e, and \u003ccode\u003ewinlog.event_data.AttributeValue\u003c/code\u003e fields to determine the legitimacy of the changes.\u003c/li\u003e\n\u003cli\u003eFollow the triage and analysis steps in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field to investigate alerts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:57:22Z","date_published":"2024-01-03T14:57:22Z","id":"/briefs/2024-01-shadow-credentials/","summary":"This rule detects the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object, which could indicate an attacker is creating shadow credentials to gain persistent and stealthy access.","title":"Potential Shadow Credentials added to AD Object","url":"https://feed.craftedsignal.io/briefs/2024-01-shadow-credentials/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure AD Connect"],"_cs_severities":["medium"],"_cs_tags":["credential-access","privilege-escalation","windows","active-directory"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe DCSync attack is a technique that allows an attacker to use the Windows Domain Controller\u0026rsquo;s API to simulate the replication process from a remote domain controller. This enables the attacker to compromise critical credential material, such as Kerberos krbtgt keys, which can then be used for ticket creation and forgery. This attack requires specific privileges (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), typically granted to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. This rule focuses on detecting the initiation of the Active Directory replication process by user accounts, which could indicate a DCSync attack. The rule specifically monitors for Event ID 4662, filtering out computer accounts and Azure AD Connect MSOL accounts to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system with a privileged account (e.g., Domain Admin).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the privileged account to grant an attacker-controlled object the right to DCsync/Replicate.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates an Active Directory replication process using the granted rights.\u003c/li\u003e\n\u003cli\u003eWindows generates Event ID 4662 (Operation was performed on an Active Directory object) with Access Mask 0x100 (Control Access).\u003c/li\u003e\n\u003cli\u003eThe event properties include DS-Replication-Get-Changes or DS-Replication-Get-Changes-All or DS-Replication-Get-Changes-In-Filtered-Set.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information such as password hashes.\u003c/li\u003e\n\u003cli\u003eThe attacker forges Kerberos tickets using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves domain dominance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful DCSync attack can lead to the compromise of the entire Active Directory domain. Attackers can steal credential information, including the krbtgt key, allowing them to forge Kerberos tickets and gain unauthorized access to any resource within the domain. This can lead to data breaches, system outages, and significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Access\u0026rdquo; to generate the required event logs (Event ID 4662) for detection, as indicated in the \u003ca href=\"https://ela.st/audit-directory-service-access\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Potential DCSync Activity\u003c/code\u003e to identify suspicious Active Directory replication events in your SIEM.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by correlating security events 4662 and 4624 by Logon ID on the Domain Controller.\u003c/li\u003e\n\u003cli\u003eReview and restrict the privileges granted to accounts with DS-Replication-Get-Changes and DS-Replication-Get-Changes-All rights.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-dcsync-replication/","summary":"This rule identifies when a User Account starts the Active Directory Replication Process, potentially indicating a DCSync attack, which allows attackers to steal credential information compromising the entire domain.","title":"Potential Credential Access via DCSync","url":"https://feed.craftedsignal.io/briefs/2024-01-02-dcsync-replication/"}],"language":"en","title":"CraftedSignal Threat Feed — Azure AD Connect","version":"https://jsonfeed.org/version/1.1"}