Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / Shadow Credentials

Response

Cleanup with Certipy:

certipy shadow clear -u ben.carter@ootw.local -p 'StudentPass2026!' -account svc_web -dc-ip 10.10.10.200

Cleanup with pyWhisker:

python3 pywhisker.py -d ootw.local -u ben.carter -p 'StudentPass2026!' --target svc_web --action remove

Cleanup with Whisker:

.\Whisker.exe remove /target:svc_web /domain:ootw.local /dc:OOTW-DC01.ootw.local

Always verify msDS-KeyCredentialLink after cleanup.

Primary indicator:

5136 - msDS-KeyCredentialLink modified

Supporting events:

4662 - LDAP write operation
4768 - TGT request using certificate-based authentication
4624 - Successful logon after key credential write
4672 - Privileged session if target is privileged

Remediation:

  • remove unnecessary GenericAll and GenericWrite rights
  • alert on msDS-KeyCredentialLink writes
  • restrict certificate authentication paths
  • review accounts with key credentials
  • protect service and admin accounts from delegated write rights