← Library
kqlElastic-2.0from elastic/detection-rules

Potential Shadow Credentials added to AD Object

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1556T1098
Rule sourcerules/windows/credential_access_shadow_credentials.toml
event.code:"5136" and host.os.type:"windows" and winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" and
  winlog.event_data.AttributeValue :B\:828* and
  not winlog.event_data.SubjectUserName: MSOL_*