Shadow Credential Attacks

Overview

This attack method targets Active Directory User or Computer accounts that are configured with weak ACEs¹. The attacker can compromise such users or computers by injecting rogue certificate or keys in the msDS-KeyCredentialLink attribute.

The attack method allows the attacker to authenticate as the targeted user or computer, even if the password is reset.

Examples of weak ACEs

Requirements

Domain Controller running Windows Server 2012¹ or higher version

Domain Functional Level Windows Server 2012²

Target Domain Controller having its own certificate and keys

Attacker has control over a user or computer account with WRITE PERMISSIONS over the msDS-KeyCredentialLink attribute of the target user or computer object. This is typically an administrative account, however the attacker may target an account configured with weak ACEs

1. Most other articles mention Windows Server 2016 but attack is possible on a Domain Controller running Windows Server 2012 R2
2. Most other articles mention Domain Functional Level 2016 but attack is possible on Domain Functional Level set to Windows Server 2016

Attack Simulation

Attack tools such as whisker.exe or pyWhisker.py may be used to simulate an attack and use the generated events to build the attack detection logic.

Detection

YARA-L

events:​
$e.metadata.log_type = "WINEVTLOG"​
$e.metadata.product_event_type = "5136" ​
$e.additional.fields["Attribute LDAP Display Name"] = "msDS-KeyCredentialLink"​
$e.additional.fields["DSType"] = /14674|14676/​

Prerequisites

1. Security Settings / Advanced Audit Policy Configuration / Audit Directory Service Changes is configured and set to Success. This policy configuration may be applied using a GPO that is linked to OU=Domain Controllers
2. SYNERGIX LEDR software or other Windows Security Events Forwarding Agents like nxLog configured to forward event ID 5136 to Azure Log Analytics Workspace or other SIEM platform of your choice.
3. KQL Query

Response