Detections
Analytics

Vulnerable Credential Roaming Related Attributes

low

Language:

Description

"Credential roaming" is the mechanism that allows a user to access their secrets across computers on the domain. The Active Directory stores the credentials and protects them using a key derived from the user's password and a key stored in the ms-PKI-DPAPIMasterKeys attribute, which is encrypted with a secret backup key. However, if an unprivileged user controls these credentials and the backup key, the user's secrets become vulnerable.

Solution

An attacker who gains control over credential roaming attributes can decrypt and access potentially confidential information, or delete them to cause denial of service issues.

See Also

cqureacademy - Extracting roamed private keys

Indicator Details

Name: Vulnerable Credential Roaming Related Attributes

Codename: C-CREDENTIAL-ROAMING

Severity: Low

MITRE ATT&CK Information:

Attacker Known Tools

Michael Grafnetter: DSinternals

Benjamin Delpy: Mimikatz - DCShadow module