Shadow Credentials abuse writes attacker-controlled key material into msDS-KeyCredentialLink. After the write, we use PKINIT to request a Kerberos TGT as the target account without changing the target password.
This is usually available through:
GenericAll
GenericWrite
WriteProperty over msDS-KeyCredentialLink
The chain is:
write msDS-KeyCredentialLink -> authenticate with certificate -> obtain TGT -> derive or use credential material
This is powerful because password resets are loud and disruptive, while Shadow Credentials keep the original password intact. It applies to users, service accounts, and computer accounts when the attacker can write the attribute.