modifications in the msds-keycredentiallink attribute can be done legitimately by the azure ad connect synchronization account or the adfs service account. these accounts can be added as exceptions.

t1556
windows
elastic

t1556

Sample rules

Potential Shadow Credentials added to AD Object

source: elastic
technicques:
- T1556

Description

Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.

Detection logic

event.code:"5136" and winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" and
  winlog.event_data.AttributeValue :B\:828* and
  not winlog.event_data.SubjectUserName: MSOL_*

Possible Shadow Credentials Added

source: sigma
technicques:
- t1556

Description

Detects possible addition of shadow credentials to an active directory object.

Detection logic

condition: selection
selection:
  AttributeLDAPDisplayName: msDS-KeyCredentialLink
  EventID: 5136