Modification of the msPKIAccountCredentials | Elastic Security Solution [master]

You are looking at preliminary documentation for a future release. Not what you want? See the current release documentation.

› › ›

« Modification of WDigest Security Provider Modification or Removal of an Okta Application Sign-On Policy »

Modification of the msPKIAccountCredentialsedit

Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.

Rule type: query

Rule indices:

winlogbeat-*
logs-system.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Host
Windows
Threat Detection
Active Directory
Privilege Escalation

Version: 1

Added (Elastic Stack release): 8.6.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guideedit

Rule queryedit

event.action:"Directory Service Changes" and event.code:"5136" and
winlog.event_data.AttributeLDAPDisplayName:"msPKIAccountCredentials"
and winlog.event_data.OperationType:"%%14674" and not
winlog.event_data.SubjectUserSid : "S-1-5-18"

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Exploitation for Privilege Escalation
- ID: T1068
- Reference URL: https://attack.mitre.org/techniques/T1068/

« Modification of WDigest Security Provider Modification or Removal of an Okta Application Sign-On Policy »