Shadow Credentials

ABOUT

Shadow Credentials is a stealthy post-exploitation persistence technique (disclosed by Elad Shamir) that leverages the msDS-KeyCredentialLink attribute on AD objects. This attribute is used by Windows Hello for Business and Azure AD Join. When you add a custom public key to it, you can authenticate via Kerberos PKINIT using your matching private key — effectively becoming the user.

This gives you a TGT without touching the user's password or traditional login flow.

Requirements

• Write access (GenericWrite/GenericAll) to target user/computer object

• PKINIT enabled (default in modern AD environments)

• Domain reachable over Kerberos (TCP/UDP 88)

Flow

1. Generate RSA key pair

2. Create KeyCredential object with public key

3. Inject the object into msDS-KeyCredentialLink of the target account

4. Authenticate using private key via Kerberos PKINIT

5. Get TGT for the target account

LINUX

Check KeyCredential Attribute Present

ldapsearch -H ldap://dc.militech.local -x -D 's.reed@militech.local' -w 'password123' -b 'CN=songbird,CN=Users,DC=militech,DC=local' msDS-KeyCredentialLink

Automatic Shadow Credentials Execution

certipy-ad shadow auto -username 's.reed@militech.local' -password 'password123' -account songbird

Performs:

• KeyCredential injection

• PKINIT auth

• TGT extraction

• NT hash dump

• Cleanup

RESOURCES

Shadow Credentials | The Hacker Recipes

07 ‐ Post‐ExploitationGitHub

https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566abposts.specterops.io