RP0003: Adding shadow credential

Summary

ID	RP0003
Brief Description	Response playbook for adding shadow credential attack
Author	@ERMACK_COMMUNITY
Creation Date	2023/05/07
Modification Date	2023/05/14
Tags	Status: Stable Severity:High
Usecases	Adding shadow credential

Attackers may attempt to adding shadow credentials for persisting in system or lateral movement using pass the certificate

On identification stage need find domain accounts which was attacked and from which the attack was carried out. This information can be taken from Windows Security event log 5136 - Directory service object was modified
On containment stage, when you found the account from which attack was carried out go to Compromised user response playbook
On containment stage, when you found an account that was attacked lock this account
On eradication stage, delete msDS-KeyCredentialLink attribute from attacked account
On recovery stage, unlock previously locked account
Save all timestamps of implemented actions in Incident Report draft on the fly, it will save a lot of time

ARTIFACT	RESPONSE ACTION	RESPONSE ACTION OBSERVABLES
Domain account	Find account to which the attribute has been added. If audit configured, the name of this account will be in the object section of the event log	Compromised domain user
Log	If audit of modification of attributes of this account is configured, find Windows Securty event log 5136 - Directory service object was modified	Event log with info about subject name, attribute name and object name
Domain account	Find account from which the attack was carried out. If audit configured, the name of this account will be in the subject section of the event log	Attacking domain user
Directory service object attribure	Delete added attacked account msDS-KeyCredentialLink attribute	msDS-KeyCredentialLink attribute