Modification of the msPKIAccountCredentials

Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/11/09"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2025/01/22"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can
13abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials
14contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys,
15certificates, and certificate requests.
16"""
17from = "now-9m"
18index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
19language = "kuery"
20license = "Elastic License v2"
21name = "Modification of the msPKIAccountCredentials"
22references = [
23    "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming",
24    "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx",
25    "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136",
26]
27risk_score = 47
28rule_id = "670b3b5a-35e5-42db-bd36-6c5b9b4b7313"
29setup = """## Setup
30
31The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
32Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Changes (Success,Failure)

 1"""
 2severity = "medium"
 3tags = [
 4    "Domain: Endpoint",
 5    "OS: Windows",
 6    "Use Case: Threat Detection",
 7    "Data Source: Active Directory",
 8    "Tactic: Privilege Escalation",
 9    "Use Case: Active Directory Monitoring",
10    "Data Source: System",
11    "Resources: Investigation Guide",
12]
13timestamp_override = "event.ingested"
14type = "query"
15
16query = '''
17event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"msPKIAccountCredentials" and
18  winlog.event_data.OperationType:"%%14674" and
19  not winlog.event_data.SubjectUserSid : "S-1-5-18"
20'''
21note = """## Triage and analysis
22
23> **Disclaimer**:
24> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
25
26### Investigating Modification of the msPKIAccountCredentials
27
28The msPKIAccountCredentials attribute in Active Directory stores encrypted credential data, including private keys and certificates. Adversaries may exploit this by altering the attribute to escalate privileges, potentially overwriting files. The detection rule identifies such modifications by monitoring specific directory service events, focusing on changes to this attribute, excluding actions by the system account, thus highlighting unauthorized access attempts.
29
30### Possible investigation steps
31
32- Review the event logs for the specific event code 5136 to gather details about the modification event, including the timestamp and the user account involved.
33- Examine the winlog.event_data.SubjectUserSid field to identify the user who attempted the modification, ensuring it is not the system account (S-1-5-18).
34- Investigate the history and behavior of the identified user account to determine if there are any previous suspicious activities or anomalies.
35- Check for any recent changes or anomalies in the affected Active Directory User Object, focusing on the msPKIAccountCredentials attribute.
36- Assess the potential impact of the modification by identifying any files or systems that may have been affected by the altered credentials.
37- Correlate this event with other security alerts or logs to identify any patterns or coordinated activities that might indicate a broader attack.
38
39### False positive analysis
40
41- Routine administrative tasks by IT personnel may trigger the rule. To manage this, create exceptions for specific user accounts or groups known to perform these tasks regularly.
42- Scheduled maintenance scripts or automated processes that modify Active Directory attributes could be mistaken for unauthorized changes. Identify these processes and exclude their associated user accounts or service accounts from the rule.
43- Software updates or installations that require changes to user credentials might cause false positives. Document these events and adjust the rule to ignore modifications during known update windows.
44- Legitimate changes made by third-party applications integrated with Active Directory can be flagged. Review and whitelist these applications by excluding their associated user accounts or service accounts.
45- Temporary changes during incident response or security audits may appear suspicious. Coordinate with security teams to ensure these activities are recognized and excluded from triggering alerts.
46
47### Response and remediation
48
49- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
50- Revoke any potentially compromised certificates and private keys associated with the affected msPKIAccountCredentials attribute to prevent misuse.
51- Conduct a thorough review of recent changes in Active Directory, focusing on the msPKIAccountCredentials attribute, to identify any unauthorized modifications or access patterns.
52- Reset passwords and regenerate keys for any accounts or services that may have been affected to ensure that compromised credentials are no longer valid.
53- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.
54- Implement additional monitoring on the affected systems and accounts to detect any further suspicious activity or attempts to exploit similar vulnerabilities.
55- Review and update access controls and permissions in Active Directory to ensure that only authorized personnel have the ability to modify sensitive attributes like msPKIAccountCredentials."""
56
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1068"
62name = "Exploitation for Privilege Escalation"
63reference = "https://attack.mitre.org/techniques/T1068/"
64
65
66[rule.threat.tactic]
67id = "TA0004"
68name = "Privilege Escalation"
69reference = "https://attack.mitre.org/tactics/TA0004/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Modification of the msPKIAccountCredentials

The msPKIAccountCredentials attribute in Active Directory stores encrypted credential data, including private keys and certificates. Adversaries may exploit this by altering the attribute to escalate privileges, potentially overwriting files. The detection rule identifies such modifications by monitoring specific directory service events, focusing on changes to this attribute, excluding actions by the system account, thus highlighting unauthorized access attempts.

Possible investigation steps

  • Review the event logs for the specific event code 5136 to gather details about the modification event, including the timestamp and the user account involved.
  • Examine the winlog.event_data.SubjectUserSid field to identify the user who attempted the modification, ensuring it is not the system account (S-1-5-18).
  • Investigate the history and behavior of the identified user account to determine if there are any previous suspicious activities or anomalies.
  • Check for any recent changes or anomalies in the affected Active Directory User Object, focusing on the msPKIAccountCredentials attribute.
  • Assess the potential impact of the modification by identifying any files or systems that may have been affected by the altered credentials.
  • Correlate this event with other security alerts or logs to identify any patterns or coordinated activities that might indicate a broader attack.

False positive analysis

  • Routine administrative tasks by IT personnel may trigger the rule. To manage this, create exceptions for specific user accounts or groups known to perform these tasks regularly.
  • Scheduled maintenance scripts or automated processes that modify Active Directory attributes could be mistaken for unauthorized changes. Identify these processes and exclude their associated user accounts or service accounts from the rule.
  • Software updates or installations that require changes to user credentials might cause false positives. Document these events and adjust the rule to ignore modifications during known update windows.
  • Legitimate changes made by third-party applications integrated with Active Directory can be flagged. Review and whitelist these applications by excluding their associated user accounts or service accounts.
  • Temporary changes during incident response or security audits may appear suspicious. Coordinate with security teams to ensure these activities are recognized and excluded from triggering alerts.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
  • Revoke any potentially compromised certificates and private keys associated with the affected msPKIAccountCredentials attribute to prevent misuse.
  • Conduct a thorough review of recent changes in Active Directory, focusing on the msPKIAccountCredentials attribute, to identify any unauthorized modifications or access patterns.
  • Reset passwords and regenerate keys for any accounts or services that may have been affected to ensure that compromised credentials are no longer valid.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.
  • Implement additional monitoring on the affected systems and accounts to detect any further suspicious activity or attempts to exploit similar vulnerabilities.
  • Review and update access controls and permissions in Active Directory to ensure that only authorized personnel have the ability to modify sensitive attributes like msPKIAccountCredentials.

References

Related rules

to-top