Modification of the msPKIAccountCredentials

Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/11/09"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can
11abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials
12contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys,
13certificates, and certificate requests.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Modification of the msPKIAccountCredentials"
20references = [
21    "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming",
22    "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx",
23    "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136",
24]
25risk_score = 47
26rule_id = "670b3b5a-35e5-42db-bd36-6c5b9b4b7313"
27setup = """## Setup
28
29The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
30Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Changes (Success,Failure)

 1"""
 2severity = "medium"
 3tags = [
 4    "Domain: Endpoint",
 5    "OS: Windows",
 6    "Use Case: Threat Detection",
 7    "Data Source: Active Directory",
 8    "Tactic: Privilege Escalation",
 9    "Use Case: Active Directory Monitoring",
10]
11timestamp_override = "event.ingested"
12type = "query"
13
14query = '''
15event.action:"Directory Service Changes" and event.code:"5136" and
16  winlog.event_data.AttributeLDAPDisplayName:"msPKIAccountCredentials" and winlog.event_data.OperationType:"%%14674" and
17  not winlog.event_data.SubjectUserSid : "S-1-5-18"
18'''
19
20
21[[rule.threat]]
22framework = "MITRE ATT&CK"
23[[rule.threat.technique]]
24id = "T1068"
25name = "Exploitation for Privilege Escalation"
26reference = "https://attack.mitre.org/techniques/T1068/"
27
28
29[rule.threat.tactic]
30id = "TA0004"
31name = "Privilege Escalation"
32reference = "https://attack.mitre.org/tactics/TA0004/"

References

Related rules

to-top