Detections
Analytics

Shadow Credentials

high

Language:

Description

The Shadow Credentials backdoor technique exploits the legitimate Microsoft "Windows Hello for Business" feature. If the Active Directory does not use this feature, it is easy to detect this persistence mechanism. If it does use this feature, misconfigurations could indicate compromise or poor management practices.

Solution

Misconfigurations of key credentials in the Windows Hello for Business feature can have a significant impact on Active Directory security, potentially introducing alternative authentication methods. Therefore, it is imperative to give them thorough attention and supervision.

See Also

Shadow Credentials Abusing Key Trust Account Mapping for Account Takeover

Shadow Credentials

Parsing the msDS-KeyCredentialLink value for ShadowCredentials attack

Black Hat Europe 2019 - Exploiting Windows Hello for Business

WHfB and Entra ID - Say hello to your new cache flow

Indicator Details

Name: Shadow Credentials

Codename: C-SHADOW-CREDENTIALS

Severity: High

MITRE ATT&CK Information:

Tactics: TA0003, TA0006

Techniques: T1098, T1556

Attacker Known Tools

Michael Grafnetter: DSInternals

Elad Shamir: Whisker

Charlie Bromberg: pywhisker