Query Details
Shadow Credentials Attack Detection
Query
//This query detects attempts to manipulate msDS-KeyCredentialLink attribute using Whisker tool
//Used for taking over AD user and computer accounts via "Shadow Credentials"
//Requires Windows Server 2016+ DC with server authentication certificate
DeviceProcessEvents
| where FileName in ("Whisker.exe")
| where ProcessCommandLine has_all ("/target", "/domain", "/dc")
| where ProcessCommandLine has_any ("add", "remove", "list", "clear")
| project Timestamp, DeviceName, DeviceId, ReportId, ProcessCommandLine, InitiatingProcessCommandLine Explanation
This query is designed to identify potential security threats involving the manipulation of the msDS-KeyCredentialLink attribute in Active Directory using a tool called Whisker. This manipulation is associated with "Shadow Credentials," a technique used to take control of AD user and computer accounts. The query specifically looks for instances where the Whisker tool (Whisker.exe) is executed with certain command-line arguments that indicate an attempt to target a domain controller (DC) running Windows Server 2016 or later, which has a server authentication certificate. The query filters for command lines that include the keywords "/target", "/domain", and "/dc", along with any of the actions "add", "remove", "list", or "clear". It then outputs relevant details such as the timestamp, device name, device ID, report ID, and the command lines involved in the process.
Details
User Submission
Released: November 10, 2024
Tables
Keywords
Operators