Shadow Credentials

ABOUT

Shadow Credentials is a stealthy post-exploitation persistence technique (disclosed by Elad Shamir) that leverages the msDS-KeyCredentialLink attribute on AD objects. This attribute is used by Windows Hello for Business and Azure AD Join. When you add a custom public key to it, you can authenticate via Kerberos PKINIT using your matching private key — effectively becoming the user.

This gives you a TGT without touching the user's password or traditional login flow.

Requirements

Write access (GenericWrite/GenericAll) to target user/computer object
PKINIT enabled (default in modern AD environments)
Domain reachable over Kerberos (TCP/UDP 88)

Flow

Generate RSA key pair
Create KeyCredential object with public key
Inject the object into msDS-KeyCredentialLink of the target account
Authenticate using private key via Kerberos PKINIT
Get TGT for the target account

LINUX

Check KeyCredential Attribute Present

ldapsearch -H ldap://dc.militech.local -x -D 's.reed@militech.local' -w 'password123' -b 'CN=songbird,CN=Users,DC=militech,DC=local' msDS-KeyCredentialLink

Automatic Shadow Credentials Execution

certipy-ad shadow auto -username 's.reed@militech.local' -password 'password123' -account songbird

Performs:

KeyCredential injection
PKINIT auth
TGT extraction
NT hash dump
Cleanup

RESOURCES

Shadow Credentials | The Hacker Recipes

07 ‐ Post‐ExploitationGitHub

https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566abposts.specterops.io

PreviousGolden Ticket NextOverpass The Hash

Last updated 2 months ago