Detections
Analytics
Shadow Credentials
high
Language:
Description
The Shadow Credentials backdoor technique exploits the legitimate Microsoft "Windows Hello for Business" feature. If the Active Directory does not use this feature, it is easy to detect this persistence mechanism. If it does use this feature, misconfigurations could indicate compromise or poor management practices.
Solution
Misconfigurations of key credentials in the Windows Hello for Business feature can have a significant impact on Active Directory security, potentially introducing alternative authentication methods. Therefore, it is imperative to give them thorough attention and supervision.
See Also
Black Hat Europe 2019 - Exploiting Windows Hello for Business
Shadow Credentials Abusing Key Trust Account Mapping for Account Takeover
Parsing the msDS-KeyCredentialLink value for ShadowCredentials attack
Indicator Details
Name: Shadow Credentials
Codename: C-SHADOW-CREDENTIALS
Severity: High
- Tactic: TA0003 - Persistence
- Techniques: T1098 - Account Manipulation
- Tactic: TA0006 - Credential Access
- Techniques: T1556 - Modify Authentication Process
Attacker Known Tools
Michael Grafnetter: DSInternals
Elad Shamir: Whisker
Charlie Bromberg: pywhisker