The ClaimSpecialIdentity edge represents the ability to obtain an access token containing a special identity (group) SID.
The ClaimSpecialIdentity edge represents the ability to obtain an access token containing a special identity (group) SID. Unlike regular groups, membership in special identities is determined at authentication rather than by an explicit member list.
See the Abuse section for specific cases.
Included in access tokens when an account is authenticated directly against a domain controller and not through Kerberos constrained delegation (service asserted identity).
Key Trust (S-1-18-4)
Included in access tokens when authentication is based on public key credentials via key trust objects.
Anyone with key trust credentials (e.g., from a Shadow Credentials attack) can obtain Key Trust identity access through PKINIT authentication.
MFA Key Property (S-1-18-5)
Similar to Key Trust but requires the MFA property on the key trust credentials.
A Shadow Credentials attack enables anyone to obtain the MFA Key Property identity access through PKINIT authentication.
NTLM Authentication (S-1-64-10)
Included in an access token when authentication occurs via NTLM protocol.
Any AD account can obtain NTLM authentication identity access, assuming NTLM is available.
Schannel Authentication (S-1-64-14)
Included in an access token when authentication occurs via Schannel protocol.
Any AD account can obtain the Schannel Authentication identity, for example by performing certificate authentication over Schannel.
This Organization Identity (S-1-5-15)
Assigned to all accounts within the same Active Directory forest and trusted forests without selective authentication.
This Organization Certificate Identity (S-1-5-65-1)
Assigned to all accounts within the same Active Directory forest and trusted forests without selective authentication, when the Kerberos PAC contains an NTLM_SUPPLEMENTAL_CREDENTIAL structure.
Authentication using an ADCS certificate ensures the required PAC structure.
