azure ad connect or adfs provisioning can legitimately modify msds-keycredentiallink when the writer account, source, object class, target dn, bounded change set, and post-change authentication all match an expected workflow.

t1098
t1556
windows
elastic

Techniques

T1098
T1556

Sample rules

Potential Shadow Credentials added to AD Object

source: elastic
technicques:
- T1098
- T1556

Description

Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.

Detection logic

event.code:"5136" and host.os.type:"windows" and winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" and
  winlog.event_data.AttributeValue :B\:828* and
  not winlog.event_data.SubjectUserName: MSOL_* and
  not winlog.event_data.ObjectClass: "msDS-Device"