AD-DACL-SHADOWCREDSCredential Access

Shadow Credentials (msDS-KeyCredentialLink)

Add a key credential to a target principal and authenticate via PKINIT to recover its NT hash.

§ Where this technique fits

AD-DACL-SHADOWCREDS is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

Shadow Credentials → PKINIT → NT hash
Where GenericWrite is held over a target, write a fake KeyCredentialLink (whfb-like) and authenticate via PKINIT to recover the target's NT hash.
step 2 / 5

§ What commonly comes next

01
Pass the Ticket
T1550.003 · Lateral Movement
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Shadow Credentials → PKINIT → NT hash

§ What commonly comes next