Modification of the msPKIAccountCredentials
Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/11/09"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/10/28"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can
13abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials
14contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys,
15certificates, and certificate requests.
16"""
17from = "now-9m"
18index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
19language = "kuery"
20license = "Elastic License v2"
21name = "Modification of the msPKIAccountCredentials"
22references = [
23 "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming",
24 "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx",
25 "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136",
26]
27risk_score = 47
28rule_id = "670b3b5a-35e5-42db-bd36-6c5b9b4b7313"
29setup = """## Setup
30
31The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
32Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Changes (Success,Failure)
1"""
2severity = "medium"
3tags = [
4 "Domain: Endpoint",
5 "OS: Windows",
6 "Use Case: Threat Detection",
7 "Data Source: Active Directory",
8 "Tactic: Privilege Escalation",
9 "Use Case: Active Directory Monitoring",
10 "Data Source: System",
11]
12timestamp_override = "event.ingested"
13type = "query"
14
15query = '''
16event.action:("Directory Service Changes" or "directory-service-object-modified") and event.code:"5136" and
17 winlog.event_data.AttributeLDAPDisplayName:"msPKIAccountCredentials" and winlog.event_data.OperationType:"%%14674" and
18 not winlog.event_data.SubjectUserSid : "S-1-5-18"
19'''
20
21
22[[rule.threat]]
23framework = "MITRE ATT&CK"
24[[rule.threat.technique]]
25id = "T1068"
26name = "Exploitation for Privilege Escalation"
27reference = "https://attack.mitre.org/techniques/T1068/"
28
29
30[rule.threat.tactic]
31id = "TA0004"
32name = "Privilege Escalation"
33reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
In early 2022, Mandiant detected and responded to an incident where APT29 successfully phished a European diplomatic entity and ultimately abused the Windows Credential Roaming feature. The diploma...
Read More -
Windows: Credential Roaming Article 1/17/2024 Note This document is being updated for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 Applies to Windows S...
Read More -
Related rules
- FirstTime Seen Account Performing DCSync
- Kerberos Pre-authentication Disabled for User
- Access to a Sensitive LDAP Attribute
- Group Policy Abuse for Privilege Addition
- Potential Credential Access via DCSync