Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.
Rule type: query
Risk score: 47
Runs every: 5m
Maximum alerts per execution: 100
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Data Source: Active Directory
- Tactic: Privilege Escalation
- Use Case: Active Directory Monitoring
Rule license: Elastic License v2
event.action:"Directory Service Changes" and event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"msPKIAccountCredentials" and winlog.event_data.OperationType:"%%14674" and not winlog.event_data.SubjectUserSid : "S-1-5-18"
Framework: MITRE ATT&CKTM