How Hackers Achieve Invisible Persistence in Active Directory: Shadow Credentials &…
1 min read
Summary
Microsoft’s Active Directory (AD) is a prime target for attackers seeking to gain privileged access and maintain persistence due to its importance in authenticating and authorizing access to enterprise networks.
One such attack technique, ‘Shadow Credentials’, abuses permissions over the msDS-KeyCredentialLink attribute, allowing an attacker to inject their public key into a user or computer object in AD.
Kerberos authentication can then be bypassed as the attacker can authenticate as any target user, providing they have the private key corresponding to the injected public key.
Attacks like this are hard to detect as they do not interact with user passwords and utilise legitimate authentication mechanisms.
This makes them a prime choice for attackers looking to maintain stealth and ensure persistence on a compromised network.
It is, therefore, crucial that permissions on this attribute are monitored and that highly privileged groups, such as Enterprise Key Admins, have their use restricted.