Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / Shadow Credentials

Matrix

Shadow Credentials avoid password resets. The account keeps its password, but Kerberos authentication becomes possible through attacker-controlled key material.

TargetRequired rightAbuse pathLinux toolingWindows toolingResponse focus
UserWrite access to msDS-KeyCredentialLinkAdd key credential, request TGT with PKINIT, use or extract credential materialcertipy shadow, pywhisker.py, gettgtpkinit.py, getnthash.pyPowerView Set-DomainObject, Whisker/Rubeus where availableClear rogue key credentials and review PKINIT activity
Service accountWrite access to msDS-KeyCredentialLinkAuthenticate as service account without changing passwordcertipy shadow, PKINITtoolsPowerView, Whisker/RubeusClear rogue key credentials and rotate secrets if used
ComputerWrite access to msDS-KeyCredentialLinkAuthenticate as computer account and pursue machine-account pathscertipy shadow, PKINITtools, ImpacketPowerView, Whisker/RubeusClear rogue key credentials and review machine-account logons
Account with GenericAllGenericAll includes the needed write pathUse Shadow Credentials as the stealthier takeover methodcertipy shadow autoPowerView plus certificate toolingRemove added key material and repair ACL
Account with GenericWriteGenericWrite may permit the attribute writeAttempt key credential write and validate PKINITcertipy shadow add/auto, pywhisker.pyPowerView plus certificate toolingClear added value and confirm no stale key credentials remain