Potential Shadow Credentials added to AD Object

hello@craftedsignal.io — Wed, 03 Jan 2024 14:57:22 +0000

The “Shadow Credentials” attack involves manipulating the msDS-KeyCredentialLink attribute in Active Directory (AD) to gain unauthorized access to user or computer accounts. Attackers can create a key pair, append the raw public key to the attribute, and authenticate as the target object. This technique allows for persistent and stealthy access, as it leverages Kerberos key trust account mapping. The original detection rule was created in January 2022 and last updated in April 2026. This attack abuses control over an object to create the shadow credentials. Defenders should monitor for modifications to the msDS-KeyCredentialLink attribute, especially those not associated with legitimate Azure AD Connect or ADFS provisioning.

Attack Chain

Initial Access: Attacker gains initial access to a system with sufficient privileges to modify Active Directory objects.
Discovery: The attacker identifies a target user or computer object within Active Directory to compromise.
Credential Access: The attacker generates a new key pair.
Privilege Escalation: The attacker modifies the msDS-KeyCredentialLink attribute of the target object to include the attacker’s public key. This requires specific permissions on the target object.
Persistence: The attacker uses the private key to authenticate as the target object, bypassing normal authentication mechanisms.
Lateral Movement: The attacker uses the compromised account to move laterally within the network, accessing resources and systems.
Impact: The attacker achieves their objective, such as data exfiltration, system compromise, or further privilege escalation.

Impact

Successful exploitation allows attackers to maintain persistent and stealthy access to Active Directory objects, potentially compromising sensitive accounts and resources. Shadow Credentials can be used to bypass multi-factor authentication and other security controls, leading to significant data breaches or system-wide compromises. Without proper monitoring and alerting, these attacks can remain undetected for extended periods.

Recommendation

Enable and monitor Windows Security Event Logs, specifically event ID 5136, for modifications to the msDS-KeyCredentialLink attribute as described in the rule description.
Deploy the provided Sigma rule to your SIEM to detect suspicious modifications to the msDS-KeyCredentialLink attribute, and tune for your environment.
Implement strict access controls and auditing on Active Directory objects, particularly those with sensitive privileges, to prevent unauthorized modifications.
Investigate any alerts generated by the Sigma rule by examining the winlog.event_data.ObjectDN, winlog.event_data.SubjectUserName, and winlog.event_data.AttributeValue fields to determine the legitimacy of the changes.
Follow the triage and analysis steps in the rule’s note field to investigate alerts.

Potential Credential Access via DCSync

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

The DCSync attack is a technique that allows an attacker to use the Windows Domain Controller’s API to simulate the replication process from a remote domain controller. This enables the attacker to compromise critical credential material, such as Kerberos krbtgt keys, which can then be used for ticket creation and forgery. This attack requires specific privileges (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), typically granted to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. This rule focuses on detecting the initiation of the Active Directory replication process by user accounts, which could indicate a DCSync attack. The rule specifically monitors for Event ID 4662, filtering out computer accounts and Azure AD Connect MSOL accounts to reduce false positives.

Attack Chain

An attacker gains initial access to a system with a privileged account (e.g., Domain Admin).
The attacker uses the privileged account to grant an attacker-controlled object the right to DCsync/Replicate.
The attacker initiates an Active Directory replication process using the granted rights.
Windows generates Event ID 4662 (Operation was performed on an Active Directory object) with Access Mask 0x100 (Control Access).
The event properties include DS-Replication-Get-Changes or DS-Replication-Get-Changes-All or DS-Replication-Get-Changes-In-Filtered-Set.
The attacker extracts sensitive information such as password hashes.
The attacker forges Kerberos tickets using the compromised credentials.
The attacker achieves domain dominance.

Impact

A successful DCSync attack can lead to the compromise of the entire Active Directory domain. Attackers can steal credential information, including the krbtgt key, allowing them to forge Kerberos tickets and gain unauthorized access to any resource within the domain. This can lead to data breaches, system outages, and significant financial and reputational damage.

Recommendation

Enable “Audit Directory Service Access” to generate the required event logs (Event ID 4662) for detection, as indicated in the setup instructions.
Deploy the provided Sigma rule Detect Potential DCSync Activity to identify suspicious Active Directory replication events in your SIEM.
Investigate any alerts generated by the Sigma rule by correlating security events 4662 and 4624 by Logon ID on the Domain Controller.
Review and restrict the privileges granted to accounts with DS-Replication-Get-Changes and DS-Replication-Get-Changes-All rights.

Azure AD Connect — CraftedSignal Threat Feed

Potential Shadow Credentials added to AD Object

Attack Chain

Impact

Recommendation

Potential Credential Access via DCSync

Attack Chain

Impact

Recommendation