{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/credential-roaming/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","credential-roaming","active-directory","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe msPKIAccountCredentials attribute in Active Directory stores encrypted credential data, including private keys and certificates. An attacker can modify this attribute to escalate privileges by overwriting an arbitrary file. This is achieved by modifying the msPKIAccountCredentials attribute of a user object with malicious credential objects. Successful exploitation allows the attacker to gain elevated privileges within the domain. The attack leverages the Windows credential roaming feature to inject these malicious credentials. This activity is detected via event code 5136 in the Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a domain-joined system, possibly through compromised credentials or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target Active Directory user account to manipulate.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing an encrypted credential object.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool or script (e.g., PowerShell, adsiedit.msc) to modify the target user\u0026rsquo;s msPKIAccountCredentials attribute in Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers credential roaming, causing the modified attribute to be propagated to other domain-joined systems where the target user logs in.\u003c/li\u003e\n\u003cli\u003eWhen the target user logs in, the malicious credential object is processed, potentially overwriting a critical system file.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the overwritten file to execute arbitrary code with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves privilege escalation and gains further access to the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the msPKIAccountCredentials attribute can lead to complete domain compromise. Attackers can gain control over critical systems and data within the Active Directory environment. While the exact number of potential victims is unknown, any organization utilizing Active Directory is potentially vulnerable. This attack allows for lateral movement, data exfiltration, and potentially the deployment of ransomware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Changes\u0026rdquo; to generate the necessary event logs (\u003ca href=\"https://ela.st/audit-directory-service-changes)\"\u003ehttps://ela.st/audit-directory-service-changes)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eModification of msPKIAccountCredentials in Active Directory\u003c/code\u003e to detect suspicious modifications of the attribute.\u003c/li\u003e\n\u003cli\u003eReview and harden Active Directory access controls, limiting which accounts can modify the \u003ccode\u003emsPKIAccountCredentials\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eMonitor event code 5136 in the Windows Security Event Logs for modifications to the \u003ccode\u003emsPKIAccountCredentials\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eCreate exceptions in your SIEM for authorized administrative accounts that legitimately modify this attribute to reduce false positives as described in the \u0026ldquo;False positive analysis\u0026rdquo; section above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:25:00Z","date_published":"2024-01-26T18:25:00Z","id":"/briefs/2024-01-cred-roaming/","summary":"Attackers can modify the msPKIAccountCredentials attribute in Active Directory user objects to abuse credential roaming, potentially overwriting files for privilege escalation, by injecting malicious credential objects.","title":"Active Directory msPKIAccountCredentials Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-cred-roaming/"}],"language":"en","title":"CraftedSignal Threat Feed — Credential-Roaming","version":"https://jsonfeed.org/version/1.1"}