Modification of the msPKIAccountCredentials

calendarMay 15, 2023  ·
Share on: linkedincopy

Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/11/09"
 3integration = ["system", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/04/27"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can
13abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials
14contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys,
15certificates, and certificate requests.
16"""
17from = "now-9m"
18index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
19language = "kuery"
20license = "Elastic License v2"
21name = "Modification of the msPKIAccountCredentials"
22note = """## Setup
23
24The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
25Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Changes (Success,Failure)

1
2The above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.
3As this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.

Set-AuditRule -AdObjectPath 'AD:\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success

 1"""
 2references = [
 3    "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming",
 4    "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx",
 5    "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136",
 6]
 7risk_score = 47
 8rule_id = "670b3b5a-35e5-42db-bd36-6c5b9b4b7313"
 9severity = "medium"
10tags = ["Elastic", "Host", "Windows", "Threat Detection", "Active Directory", "Privilege Escalation"]
11timestamp_override = "event.ingested"
12type = "query"
13
14query = '''
15event.action:"Directory Service Changes" and event.code:"5136" and
16  winlog.event_data.AttributeLDAPDisplayName:"msPKIAccountCredentials" and winlog.event_data.OperationType:"%%14674" and
17  not winlog.event_data.SubjectUserSid : "S-1-5-18"
18'''
19
20
21[[rule.threat]]
22framework = "MITRE ATT&CK"
23[[rule.threat.technique]]
24id = "T1068"
25name = "Exploitation for Privilege Escalation"
26reference = "https://attack.mitre.org/techniques/T1068/"
27
28
29[rule.threat.tactic]
30id = "TA0004"
31name = "Privilege Escalation"
32reference = "https://attack.mitre.org/tactics/TA0004/"

Setup

The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration:

1Computer Configuration >
2Policies >
3Windows Settings >
4Security Settings >
5Advanced Audit Policies Configuration >
6Audit Policies >
7DS Access >
8Audit Directory Service Changes (Success,Failure)

The above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule. As this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.

1Set-AuditRule -AdObjectPath 'AD:\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success

to-top