Shadow Credentials avoid password resets. The account keeps its password, but Kerberos authentication becomes possible through attacker-controlled key material.
| Target | Required right | Abuse path | Linux tooling | Windows tooling | Response focus |
|---|---|---|---|---|---|
| User | Write access to msDS-KeyCredentialLink | Add key credential, request TGT with PKINIT, use or extract credential material | certipy shadow, pywhisker.py, gettgtpkinit.py, getnthash.py | PowerView Set-DomainObject, Whisker/Rubeus where available | Clear rogue key credentials and review PKINIT activity |
| Service account | Write access to msDS-KeyCredentialLink | Authenticate as service account without changing password | certipy shadow, PKINITtools | PowerView, Whisker/Rubeus | Clear rogue key credentials and rotate secrets if used |
| Computer | Write access to msDS-KeyCredentialLink | Authenticate as computer account and pursue machine-account paths | certipy shadow, PKINITtools, Impacket | PowerView, Whisker/Rubeus | Clear rogue key credentials and review machine-account logons |
Account with GenericAll | GenericAll includes the needed write path | Use Shadow Credentials as the stealthier takeover method | certipy shadow auto | PowerView plus certificate tooling | Remove added key material and repair ACL |
Account with GenericWrite | GenericWrite may permit the attribute write | Attempt key credential write and validate PKINIT | certipy shadow add/auto, pywhisker.py | PowerView plus certificate tooling | Clear added value and confirm no stale key credentials remain |