Enable Auditing of Changes to msDS-KeyCredentialLink
Summary
This article explains how to enable auditing for changes made to the msDS-KeyCredentialLink attribute in Active Directory, which is not covered by default audit configurations. It highlights that this requires specific configuration, with credit given to TrustedSec for providing the solution.
IFF Assessment
FRIEND
The article provides guidance on improving security auditing, which helps defenders detect and investigate suspicious activities within an organization's infrastructure.
Defender Context
Defenders need to ensure that critical Active Directory attributes like msDS-KeyCredentialLink are properly audited. This allows for detection of unauthorized modifications, which could indicate credential theft, privilege escalation, or other malicious activity.