Shadow Credentials → PKINIT → NT hash
Where GenericWrite is held over a target, write a fake KeyCredentialLink (whfb-like) and authenticate via PKINIT to recover the target's NT hash.
§ Context
Assumed environment: AD CS / KDC supports certificate authentication. Attacker has GenericWrite or GenericAll on a victim with msDS-KeyCredentialLink writable (Server 2016+).
§ Steps
- 01Principal w/ GenericWrite on victimInitial AccessT1078— Valid Accounts
- 02Pivot as victimLateral MovementT1550.002— Pass the Hash
- 03PKINIT auth → TGTLateral MovementT1550.003— Pass the Ticket
- 04UnPAC-the-hashCredential AccessAD-UNPAC— UnPAC-the-Hash
Recovers victim NT hash from the PAC_CREDENTIAL_INFO field.
- 05Write msDS-KeyCredentialLinkCredential AccessAD-DACL-SHADOWCREDS— Shadow Credentials (msDS-KeyCredentialLink)
certipy shadow auto -u <me> -p <pw> -account <victim>
§ References
- T1078Valid Accounts
- T1550.002Pass the Hash
- T1550.003Pass the Ticket
§ Frequently asked
- What is the "Shadow Credentials → PKINIT → NT hash" attack path?
- Where GenericWrite is held over a target, write a fake KeyCredentialLink (whfb-like) and authenticate via PKINIT to recover the target's NT hash. It chains 5 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Principal w/ GenericWrite on victim (T1078) — a initial access primitive. Assumed environment: AD CS / KDC supports certificate authentication.
- What is the final impact of this kill-chain?
- The final step lands on Write msDS-KeyCredentialLink (AD-DACL-SHADOWCREDS), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques3
ADCS ESC11 → certificate via RPC (no web enrollment)
When the CA's ICertPassage RPC interface allows NTLM without signing, relay any coerced auth directly to RPC and obtain a cert — bypasses HTTP-only mitigations.
- Shared techniques2
Citrix Bleed → steal authenticated session → MFA bypass
Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.
- Shared techniques2
Reconfigure MFP LDAP → harvest service-account credentials
Walk up to / network-into the MFP admin web panel (default creds), change the LDAP address-book server to attacker IP — printer immediately re-binds and sends its service-account creds in cleartext.
- Shared techniques2
mitm6 IPv6 SLAAC → NTLM relay → DA
Even when IPv4 is hardened, Windows clients prefer IPv6 with default DHCPv6. mitm6 makes the attacker the IPv6 DNS server, advertises wpad, and relays the captured NTLM to LDAPS for RBCD.
- Shared techniques2
MachineAccountQuota abuse → RBCD takeover of a server
Default ms-DS-MachineAccountQuota = 10 lets any authenticated user create a computer account, which can then be used as the source principal in an RBCD attack.
- Shared techniques2
PetitPotam + ADCS ESC8 → Domain Controller takeover
Coerce a DC's machine account to authenticate to the attacker, relay that NTLM to the ADCS HTTP web-enrollment endpoint, and obtain a DC certificate for full domain compromise.