AddKeyCredentialLink

Abuse Info

To abuse this privilege, use Whisker:

Whisker.exe add /target:<TargetPrincipal>

For other optional parameters, view the Whisker documentation.

Opsec Considerations

Executing the attack will generate a 5136 (A directory object was modified) event at the domain controller if an appropriate SACL is in place on the target object. If PKINIT is not common in the environment, a 4768 (Kerberos authentication ticket (TGT) was requested) ticket can also expose the attacker.

Edge Schema

Source: User, Group, Computer
Destination: User, Computer
Traversable: Yes

References

https://specterops.io/blog/2021/06/17/shadow-credentials-abusing-key-trust-account-mapping-for-account-takeover/
https://github.com/eladshamir/Whisker
https://specterops.io/blog/2022/02/09/introducing-bloodhound-4-1-the-three-headed-hound/

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

OpenHound

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

AddKeyCredentialLink

Abuse Info

Opsec Considerations

Edge Schema

References

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

OpenHound

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

Documentation Index

​Abuse Info

​Opsec Considerations

​Edge Schema

​References

Abuse Info

Opsec Considerations

Edge Schema

References