UC0003: Adding shadow credential

Summary

ID	UC0003
Brief Description	Attackers can add key credential (msDS-KeyCredentialLink attribute) to target object for persistence or lateral movement in domain
Author	@ERMACK_COMMUNITY
Creation Date	2023/05/04
Modification Date	2023/05/04
ATT&CK Tactics	TA0003: Persistence TA0008: Lateral Movement
Linked Response Playbooks	Adding shadow credential
Artifacts	Certificate Private key Certificate authority Authentication service Directory Service object attribute Access right

Description

Attackers sign the certificate with their private key, create key credential struct and add this struct on msDS-KeyCredentialLink attribute to target object. After adding this struct attackers can authenticate on behalf of target object using Public Key Cryptography for Initial Authentication (PKINIT) Kerberos extension.

Attack mapping

ARTIFACT	OBJECT	DESCRIPTION
Attack Prerequisites
Certificate Authority	Server in domain with Certificate Authority Role	Server with Active Directory Certificate Services and Certificate Authority configured
Authentication Service	Authentication service on domain controller at least Windows Server 2016 operation system	Authentication Service must have a certificate for Server Authentication for PKINIT
Certificate	Certificate signed with the attacker's private key	Certificate signed with the attacker's private key which will be checked during authentication
Side Observables
Private key	Attackers private key	Attackers private key with which they sign the certificate

Attack result

The result of this attack is an record in the msDS-KeyCredentialLink attribute of the target object.

RESOURCE	DESCRIPTION
Attack Prerequisites
Access Right	Write permission to the msDS-KeyCredentialLink attribute of the target object (user or computer)
Result Consequences
Directory service object attribute	Record in msDS-KeyCredentialLink attribute of the target object (user or computer)
Certificate	Certificate with which may authentificate on behalf of target object (user or computer)
Private key	Attackers private key with which they sign the certificate

Attack progress

1. Create private key
2. Create certificate and sign it with private key
3. Create Key credential struct with signed certificate
4. Write Key credential struct to msDS-KeyCredentialLink attribute of the target object

Some tools for carry out this attack

1.

Whisker.exe add /target:targetUserName /path:pathToCertificate.pfx /password:certificatePassword

Whisker.exe add /target:targetComputerName$ /path:pathToCertificate.pfx /password:certificatePassword

References

1. https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab
2. https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials
3. https://github.com/eladshamir/Whisker