Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / Shadow Credentials

Information

Shadow Credentials abuse writes attacker-controlled key material into msDS-KeyCredentialLink. After the write, we use PKINIT to request a Kerberos TGT as the target account without changing the target password.

This is usually available through:

GenericAll
GenericWrite
WriteProperty over msDS-KeyCredentialLink

The chain is:

write msDS-KeyCredentialLink -> authenticate with certificate -> obtain TGT -> derive or use credential material

This is powerful because password resets are loud and disruptive, while Shadow Credentials keep the original password intact. It applies to users, service accounts, and computer accounts when the attacker can write the attribute.