Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / THREAT HUNT / ACTIVE DIRECTORY / ACL

Shadow Credentials

This note documents detection patterns related to Shadow Credentials within Active Directory environments.

Direct Indicators

LogEvent IDMeaningForensic ValueNotes
Security5136Directory object modifiedCriticalModification of the msDS-KeyCredentialLink attribute is the primary indicator of Shadow Credential abuse.
Security4662Operation performed on objectHighLDAP write operation against user/computer object.
Security4624Successful logonHighLogon may occur shortly after key credential is added.
Security4768Kerberos TGT requestHighAuthentication using certificate-based Kerberos (PKINIT).
Security4672Special privileges assignedHighPrivileged sessions may appear if attacker targets admin accounts.
Sysmon1Process creationMediumExecution of tools such as Whisker or Certipy modifying AD attributes.
Sysmon3Network connectionMediumLDAP communication with domain controller during attribute modification.

Indirect Indicators

IndicatorWhat To Look ForForensic ValueNotes
Modification of msDS-KeyCredentialLinkUnexpected attribute added to user or computer objectCriticalPrimary artifact of Shadow Credentials.
Certificate-based authentication without PKI usagePKINIT authentication in environment without normal certificate authCriticalStrong indicator of abuse.
Authentication from unusual hostAccount authenticating from workstation it normally does not useHighPossible attacker-controlled host.
Rapid privilege escalation after modificationAdmin actions shortly after attribute changeCriticalIndicates account takeover.
LDAP modifications from workstationDirectory modification initiated from non-admin hostHighSuspicious behavior.

Common Tools

ToolUsage
WhiskerAdds shadow credentials to AD objects.
CertipyPerforms Shadow Credential attacks via msDS-KeyCredentialLink.
ImpacketLDAP scripts used for attribute manipulation.
PowerViewUsed to modify AD attributes when permissions allow.
RubeusUsed to request Kerberos tickets after credential injection.

Relevant Artifacts

  • Domain controller Security logs (5136, 4662, 4768)
  • Active Directory object metadata
  • LDAP modification logs
  • Sysmon logs (1, 3)
  • EDR telemetry identifying AD manipulation tools
  • Directory replication metadata
  • Prefetch artifacts showing execution of Certipy or Whisker
  • Kerberos authentication logs

MITRE ATT&CK References

  • T1556 Modify Authentication Process
  • T1550 Use Alternate Authentication Material
  • T1558 Steal or Forge Kerberos Tickets
  • T1078 Valid Accounts

Decision Tree

  1. Is the suspicious event present?
    • Identify directory modification (5136) on msDS-KeyCredentialLink.
  2. What host generated the event?
    • Determine workstation performing LDAP modification.
  3. Is the account expected to perform this action?
    • Investigate whether account normally manages certificate credentials.
  4. Pivot:
    • Source host → inspect execution of Certipy or Whisker.
    • Target account → review privilege level and group memberships.
    • Network → analyze Kerberos authentication events following modification.
  5. Confirm exploitation
    • Determine whether attacker injected a new key credential and authenticated via PKINIT.

Example Detection Templates

KQL

SecurityEvent
| where EventID == 5136
| where AttributeLDAPDisplayName == "msDS-KeyCredentialLink"

SecurityEvent
| where EventID == 4768
| summarize count() by TargetUserName, IpAddress, bin(TimeGenerated, 5m)

EQL

any where event.code == "5136"

Sigma

title: Suspicious msDS-KeyCredentialLink Modification
id: shadow-credentials-detection
status: experimental
description: Detects modification of msDS-KeyCredentialLink which may indicate Shadow Credential attack
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 5136
    AttributeLDAPDisplayName: msDS-KeyCredentialLink
  condition: selection
fields:
  - SubjectUserName
  - ObjectDN
falsepositives:
  - Legitimate certificate enrollment systems
level: high
tags:
  - attack.persistence
  - attack.t1556

Mitigation & Hardening

Control AreaMitigationEffectivenessNotes
Privilege reviewAudit ACLs allowing modification of msDS-KeyCredentialLinkCriticalRemove unnecessary permissions.
MonitoringAlert on msDS-KeyCredentialLink attribute changesCriticalPrimary detection mechanism.
PKI governanceRestrict certificate authentication usageHighLimits attack surface.
Least privilegeRestrict who can manage authentication attributesHighPrevents unauthorized modification.
EDR monitoringDetect execution of Certipy or Whisker toolsHighStops attacker tooling early.