Search
Send enquiry
  • AD Security, Windows

Microsoft Defender for Identity evasions in 2026 – Part II

June 17, 2026

Microsoft Defender for Identity evasions in 2026 – Part II

Introduction

The first blogpost highlighted the detection capabilities and the resulting evasion options for Microsoft Defender for Identity (DfI); the blog post can be found here: Microsoft Defender for Identity evasions in 2026 – Part I. To complement the first part, the second part will present some alternative detection possibilities for the defensive side to improve visibility and security, as well as the upgrade from DfI version 2.2 to DfI version 3.0.

Shadow credentials

As discussed in the first part, the detection for setting a shadow credential to a user is not covered directly by DfI, but through the usage of that shadow credential when asking for a TGT. But since the respective alert builds on user-controlled information, the detection for that is also unreliable and can be evaded.

Additionally, it was said that there is no detection logic for setting shadow credentials for machine accounts over NTLM-relayed connections. The detection is based on alerts for authentication coercions and NTLM relaying. Technically, there is a detection logic for this, which is already implemented in DfI but not used for setting shadow credentials from machine accounts to machine accounts. The Network Name Resolution (NNR) feature, which is used as core detection component, is not being used to recognize that the origin, i.e. the source IP address, does not belong to the identity that is used to write the shadow credential.

Shadow credentials: indicators of compromise through device ID

Alternative indicators of compromise (IoCs) for the setting of a shadow credential exist for the scenarios described but are not used by DfI. This is applicable to user accounts and machine accounts. These IoCs both originate from the same value, the device ID.

The shadow-credentials attack technique abuses the msDS-KeyCredentialLink (KCL) attribute of a user or computer object. This attribute can be used to store public keys for that entity allowing for Kerberos authentication. A malicious actor who has permissions to modify that attribute can write his own public key into it and use it for Kerberos authentication.

IoC: device ID for user objects

The abused feature behind the KCL attribute for shadow credentials comes from the obsolete Windows Hello for Business (WHfB) key trust model, which enables password-less authentication and supports key trust. Nowadays Microsoft recommends using Kerberos cloud trust when deploying WHfB.

When the user rolls out WHfB on a new device, the trusted platform module (TPM) generates a key pair, stores the private key in the TPM and a self-signed certificate is generated. The public key is stored in a next-generation credentials (NGC) key of the user’s KCL attribute, along with the GUID of the computer object for which WHfB was registered. This means that a user object has an entry that is an NGC key referencing the corresponding computer object using the computer’s GUID, also known as the device ID.

Current tools such as Whisker and Pywhisker generate a random device ID, which is not assigned to any computer, when creating a shadow credential. This device ID is stored in the NGC key and could be used to detect a shadow-credentials attack. During the write operation for the KCL attribute, it would need to be verified whether the specified device ID corresponds to an existing computer object at all. If the device ID cannot be assigned even during the deployment of the WHfB key, the operation should be considered as an attack. Microsoft’s own PowerShell module, WHfBTools, is a tool designed to specifically remove WHfB keys from user objects. In doing so, it can indicate to the user whether a key is orphaned. The decision if a WHfB key is considered orphaned is based on whether the device ID matches the GUID of a computer object. Thus, the functionality DfI would require to determine whether a WHfB key is a shadow credential is already present in this tool. The following image shows the difference between a legitimate WHfB key and a shadow credential:

Figure 1: Figure 1: KCL attribute of a user
Jakob Scholz

Consultant

Category
  • AD Security, Windows
Date
Navigation

Figure 1 shows the entries of the KCL attribute of the user “Alonso.Hall”. It can be seen that there are two NGC keys registered for him. The first is a shadow credential set by Whisker and the second is a WHfB key generated by following the process for registering WHfB on a new device.

When using Microsoft’s WHfBTools, as can be seen in figure 2, the NGC key which is a shadow credential is flagged as orphaned.

Figure 2: Using WHfBTools to identify shadow credentials

The legitimate WHfB key was enrolled on PC02, and because of that the device ID for that key points to the GUID from PC02:  

Figure 3: GUID PC02

When searching for shadow-credential IoCs actively, the already mentioned tool WHfBTools could be used to extract the information of the KCL attribute from user objects.

To extract the KCL attribute of the user “Alonso.Hall”, the following command would be used:

Get-ADWHfBKeys -Domain jsc.lab -SamAccountName Alonso.Hall

To check if a key is a shadow credential, the key device ID, which should be pointing to a computer GUID in Active Directory, can be checked. This is done by searching for a computer object by its GUID using the ActiveDirectory module.

Get-ADComputer -Identity be42eae5-239b-40da-8c01-41d9ea0df7af

If no computer objects exist under that GUID and the key credential was set recently, it’s highly suspicious.

Read the blog post Detecting shadow credentials, which also explains the searching of shadow credentials for user objects in hybrid setups with Entra ID.

IoC: device ID for computer objects

For computer object’s NGC keys, the device ID also plays a role when it comes to identifying shadow credentials.

Computer objects have the right to write the KCL attribute for themselves. When certain requirements are met like the computer is running Credential Guard or TPM existence, the computer can create a key pair and store the public key in its KCL attribute. This enables the computer to perform Kerberos authentication using key trust. This feature is called “domain-joined device public key authentication”. If the process is initiated, a key pair is created and the private key is protected by Credential Guard or the TPM, and the public key is stored in the KCL attribute of the computer object.

If the Group Policy Object (GPO) “Support device authentication using certificates” is active on the relevant computer, it can authenticate itself using Kerberos PKINIT via the key pair. Thus, it is legitimate for computer objects to write their own KCL attribute, and a shadow credential can be set for a DC or a CA without being detected if it is done from the identity of the machine account.

While DfI doesn’t use NNR to detect shadow credentials set over NTLM relay, the device ID can be used to identify it. Since the NGC key is supposed to be used for its own computer, it has no device ID to link to. But when using ntlm-relayx to set the shadow credentials, ntlm-relayx generates a random device ID, which indicates that the NGC key is a shadow credential. The device ID field for computer object’s NGC keys will be empty when being set legitimately. When inspecting the KCL attribute of PC02, which has an NGC key enrolled through Credential Guard, it can be seen that the device ID is empty:

Figure 4: KCL attribute of PC02

Unfortunately, WHfBTools can only be used to view the KCL attribute for user objects. For computer objects the DSInternals PowerShell module can be used. Note that DSInternals can be flagged as malicious as it also can be used in an abusive way. The following snippet can be used to find all computer objects in Active Directory that have NGC in the “Usage” field and a “DeviceId” field that is not empty:

Get-ADComputer -Filter 'msDS-KeyCredentialLink -like "*"' -Properties msDS-KeyCredentialLink | Select-Object -ExpandProperty msDS-KeyCredentialLink | Get-ADKeyCredential | Where-Object Usage -eq ‘NGC’ -and -not [string]::IsNullOrWhiteSpace($_.DeviceId)

Pass the cert

For detecting pass-the-cert attacks, different kinds of Windows security events can be monitored. ADCS-related events for issuing certificates, Kerberos authentication using PKINIT and modification of the key credential link attribute should be monitored and corelated.

Pass the cert after shadow-credential attack

When PKINIT is used to authenticate, the Windows security event 4678 (“A Kerberos authentication ticket (TGT) was requested”) can be seen, indicating that a certificate was used to authenticate. This can be corelated with the event 5136 (“A directory service object was modified”), when the KCL attribute of the entity, was modified. For parsing the information about the KCL attribute, the discussed tools WHfBTools and DSInternals can be used. If the parsing of the KCL attribute indicates that a shadow credential was set, the authentication using Kerberos PKINIT should be considered suspicious, too.

General signs for pass the cert

Activities related to certificate issuing when using AD CS in the environment should also be monitored. For the CA the relevant event is 4887 (“Certificate Services approved a certificate request and issued a certificate”), which appears on the CA and must be logged there. It can be looked for authentications via PKINIT for users and machines that never use PKINIT and especially if that request is made from a new or unexpected host. Additional signs are when WHfB is not used in the environment or no certificate service is used.

Alternative handling of NNR-based alerts

In the first blogpost, three alerts were discussed that can be evaded when tampering with NNR. These alerts belong to the attack techniques DCSync, ESC8 and the special case of pass the cert when it’s about domain controller machine accounts trying to receive a TGT.

All of these attacks had the same detection logic: Identifying if the source IP address from which the potential attack occurred is a domain controller in the case of DCSync or, in the case of ESC8 and pass the cert, the specific domain controller in whose context the request was made.

While showing that the primary methods using the three protocols (NetBIOS, DCE/RPC and RDP) used by DfI in version 2.2 can be evaded, a better approach would be to use something that’s out of the control of the attacker.

As explained, the secondary option in DfI uses the domain name service to resolve IP addresses to hostnames, but only as a fallback if the primary methods give unclear or no responses.

One approach would be to use this secondary option yourself. This would be possible when thinking of manual monitoring or searching for IoCs. The corresponding events to search for in the Windows events logs are:

  • Pass the cert (domain controller): 4678
  • ESC8: 4887
  • DCSync: 4661 and 4662

The information obtained from these events can be used to tell from which source IP address the request originated and under which identity the operation was performed. Using DNS to do a reverse lookup from the IP address to the DNS name can reveal if the source IP address belongs to the machine under which identity the request for the resources was made.

Inspecting Defender for Identity combined with Defender for Endpoint

A detection weakness already discussed was about shadow credentials set to user objects, where the detection only happened when setting a shadow credential to the AD built-in administrator (S-1-5-<domain>-500), but not for other user objects. When combining Defender for Endpoint (DfE) with DfI, it’s possible to detect the setting of shadow credentials for user objects, which is not detected by using DfI only. But this is only possible if the attacker is caught at one endpoint, when DfE notices that a tool like Whisker or Pywhisker was used. Even though an advanced attack will most likely not be detected by DfE using an offensive tool, the behavior when combining the indicators from DfE with those from DfI is interesting.

When DfE notices the usage of Whisker, it raises the alert “An active ‘Whisz’ malware process was detected while executing”, showing the information about the execution on the command line and the user under whose identity this was done:

Figure 5: Usage of Whisker detected by DfE

The user “Alonso.Hall” set the shadow credential to the user “ADM”. When DfI is also used in the environment and the event 5136 is detected, this information will be put together and, in Defender XDR, the alert “Shadow credentials added to account” is raised.

The first information is the execution of Whisker under the identity of the user “Alonso.Hall”. The second is the security event showing that “Alonso.Hall” modified the KCL attribute of the user “ADM” at the same time as the execution of Whisker was registered:

Figure 6: Event 5136: Shadow-credential set to ADM

Upgrading to Defender for Identity 3.0

The best option to handle the alerts for attacks against domain controllers that can be evaded by spoofing NNR answers is to upgrade to DfI version 3.0. This version uses the Defender device inventory as trusted database to perform the needed resolving, to make NNR function, without involving the potential attacker in the detection logic.

As can be seen in the deployment diagram in figure 7 (March 2026), only domain controllers can use the sensor in version 3.0. The CA, Federation server and Entra connect server remain in sensor version 2.2. For domain controllers the usage of version 3.0 is only possible when running as Windows Server 2019 or higher and when running with DfE on it.

Figure 7: DfI sensor deployment overview (https://learn.microsoft.com/en-us/defender-for-identity/deploy/deploy-defender-identity)

Upgrading from DfI sensor version 2.2 to 3.0 is straightforward. When the requirements are met, the migration can be done over the Microsoft Defender portal following this guide Migrate from Defender for Identity sensor v2 to sensor v3.x.

Another advantage of DfI sensor 3.0 compared to 2.2 is the “automatic Windows event auditing”, which configures the correct auditing of Windows security events. While it was possible in DfI version 2.2 to reduce the detection capabilities when the relevant events were not audited properly, this problem is fixed in version 3.0.

It’s important to note that the upgrading of the sensor to version 3.0 must be done manually and there is no mechanism where it’s done automatically via an update. 

References

  1. https://support.microsoft.com/en-us/topic/using-whfbtools-powershell-module-for-cleaning-up-orphaned-windows-hello-for-business-keys-779d1f3f-bb2d-c495-0f6b-9aeb940eeafb
  2. https://learn.microsoft.com/en-us/windows-server/security/kerberos/domain-joined-device-public-key-authentication
  3. https://learn.microsoft.com/en-us/defender-for-identity/deploy/migrate-to-sensor-v3
  4. https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/

Further blog articles
Red Teaming

Microsoft Defender for Identity evasions in 2026 – Part I

June 16, 2026 – Microsoft Defender for Identity (DfI) is one of Microsoft’s key solutions for detecting identity-based attacks in Active Directory environments – but how well does it hold up against a skilled attacker? This two-part blog post dives into DfI’s detection capabilities for high-impact attacks such as shadow credentials, pass-the-cert, ESC8, and DCSync. Additionally, it uncovers a spoofing and relaying vulnerability in DfI’s Network Name Resolution component that can be used to evade multiple alerts, and offers blue team perspectives on closing these gaps.


Author: Jakob Scholz

Mehr Infos »
Red Teaming

Windows Instrumen­tation Call­backs – Part 4

February 10, 2026 – In this blog post we will cover ICs from a more theoretical standpoint. Mainly restrictions on unsetting them, how set ICs can be detected and how new ones can be prevented from being set. Spoiler: this is not entirely possible.

Author: Lino Facco

Mehr Infos »
Load More
Do you want to protect your systems? Feel free to get in touch with us.
Send Enquiry
Contact Details
Search
Search