Cleanup with Certipy:
certipy shadow clear -u ben.carter@ootw.local -p 'StudentPass2026!' -account svc_web -dc-ip 10.10.10.200
Cleanup with pyWhisker:
python3 pywhisker.py -d ootw.local -u ben.carter -p 'StudentPass2026!' --target svc_web --action remove
Cleanup with Whisker:
.\Whisker.exe remove /target:svc_web /domain:ootw.local /dc:OOTW-DC01.ootw.local
Always verify msDS-KeyCredentialLink after cleanup.
Primary indicator:
5136 - msDS-KeyCredentialLink modified
Supporting events:
4662 - LDAP write operation
4768 - TGT request using certificate-based authentication
4624 - Successful logon after key credential write
4672 - Privileged session if target is privileged
Remediation:
- remove unnecessary GenericAll and GenericWrite rights
- alert on
msDS-KeyCredentialLinkwrites - restrict certificate authentication paths
- review accounts with key credentials
- protect service and admin accounts from delegated write rights