AddKeyCredentialLink

Abuse Info

To abuse this privilege, use Whisker:

Whisker.exe add /target:<TargetPrincipal>

For other optional parameters, view the Whisker documentation.

Opsec Considerations

Executing the attack will generate a 5136 (A directory object was modified) event at the domain controller if an appropriate SACL is in place on the target object. If PKINIT is not common in the environment, a 4768 (Kerberos authentication ticket (TGT) was requested) ticket can also expose the attacker.

Edge Schema

Source: User, Group, Computer
Destination: User, Computer
Traversable: Yes

References

https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab
https://github.com/eladshamir/Whisker

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

AddKeyCredentialLink

Abuse Info

Opsec Considerations

Edge Schema

References

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

​Abuse Info

​Opsec Considerations

​Edge Schema

​References

Abuse Info

Opsec Considerations

Edge Schema

References