Query Details
RULE 05 AD Shadow Credentials Key Credential Link
Query
// =========================================================
// RULE-05 | AD-ShadowCredentials-KeyCredentialLink
// Description : Shadow Credentials attack detection — Event
// 5136 (Directory Service Object Modified)
// showing a WRITE operation on the attribute
// msDS-KeyCredentialLink on any user or computer
// object.
// An attacker with GenericWrite on a target
// writes their own public key to this attribute,
// then uses PKINIT (certificate-based Kerberos)
// to obtain the NT hash without touching the
// password.
// Severity : High (user object) → Critical (computer object
// or DA-level account targeted)
// Frequency : Every 15 minutes, look-back 15 minutes
// MITRE : T1556.006 — Modify Authentication Process:
// Multi-Factor Authentication
// T1098 — Account Manipulation
// Tables : SecurityEvent
// =========================================================
let LookBack = 15m;
// High-value targets: DA/EA/privileged accounts
// (determined heuristically — expand as needed)
let TierZeroNames = datatable(TZName:string)
[
"Domain Admins", "Enterprise Admins", "Schema Admins",
"Administrators", "Account Operators", "krbtgt"
];
SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 5136 // DS Object Modified
| where OperationType == "%%14674" // Write Value (attribute set)
| where AttributeLDAPDisplayName =~ "msDS-KeyCredentialLink"
| extend
ActorAccount = strcat(SubjectDomainName, "\\", SubjectUserName),
TargetObject = ObjectDN,
ObjectClass = ObjectClass,
IsComputerObj = ObjectClass =~ "computer",
IsUserObj = ObjectClass =~ "user"
| extend
IsTierZeroTarget = iff(ObjectDN has_any (TierZeroNames), true, false)
| extend
Severity = case(
IsTierZeroTarget or IsComputerObj, "Critical",
IsUserObj, "High",
"Medium"
),
WhySuspicious = strcat(
"ShadowCredentials_KeyCredentialLink_Write; ",
iff(IsTierZeroTarget, "TierZero_Target; ", ""),
iff(IsComputerObj, "Computer_Object_Target; ", ""),
iff(IsUserObj, "User_Object_Target; ", ""),
"Actor: ", SubjectUserName
)
| project
TimeGenerated,
Severity,
WhySuspicious,
ActorAccount,
TargetObject,
ObjectClass,
IsTierZeroTarget,
Computer,
SubjectUserName,
SubjectDomainName
| order by TimeGenerated desc
Explanation
This query is designed to detect potential "Shadow Credentials" attacks in an Active Directory environment. Here's a simplified breakdown of what it does:
-
Purpose: The query identifies suspicious modifications to the
msDS-KeyCredentialLinkattribute on user or computer objects in Active Directory. This is indicative of a "Shadow Credentials" attack, where an attacker writes their own public key to this attribute to gain unauthorized access without needing the password. -
Severity Levels:
- Critical: If the target is a computer object or a high-value account (like Domain Admins).
- High: If the target is a regular user object.
- Medium: For other cases not explicitly defined.
-
Frequency: The query runs every 15 minutes and looks back over the last 15 minutes of data.
-
Detection Logic:
- It filters security events to find Event ID 5136, which indicates a directory service object modification.
- It specifically looks for write operations (
OperationType == "%%14674") on themsDS-KeyCredentialLinkattribute. - It checks if the target object is a computer or user and whether it belongs to high-value groups like "Domain Admins" or "Enterprise Admins".
-
Output: The query produces a list of suspicious activities, detailing:
- The time the event was generated.
- The severity of the event.
- A description of why the activity is suspicious.
- Information about the actor (who made the change) and the target object.
-
Use Case: This query is useful for security teams to monitor and respond to potential unauthorized access attempts in their Active Directory environment, especially those targeting high-value accounts or systems.
Details
David Alonso
Released: March 24, 2026
Tables
Keywords
Operators