> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# AddKeyCredentialLink

> The ability to write to the “msds-KeyCredentialLink” property on a user or computer. Writing to this property allows an attacker to create “Shadow Credentials” on the object and authenticate as the principal using kerberos PKINIT.

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

## Abuse Info

To abuse this privilege, use Whisker:

```bash theme={null}
Whisker.exe add /target:<TargetPrincipal>
```

For other optional parameters, view the Whisker documentation.

## Opsec Considerations

Executing the attack will generate a 5136 (A directory object was modified) event at the domain controller if an appropriate SACL is in place on the target object.

If PKINIT is not common in the environment, a 4768 (Kerberos authentication ticket (TGT) was requested) ticket can also expose the attacker.

## Edge Schema

Source: [User](/resources/nodes/user), [Group](/resources/nodes/group), [Computer](/resources/nodes/computer)\
Destination: [User](/resources/nodes/user), [Computer](/resources/nodes/computer)\
Traversable: **Yes**

## References

* [https://specterops.io/blog/2021/06/17/shadow-credentials-abusing-key-trust-account-mapping-for-account-takeover/](https://specterops.io/blog/2021/06/17/shadow-credentials-abusing-key-trust-account-mapping-for-account-takeover/)
* [https://github.com/eladshamir/Whisker](https://github.com/eladshamir/Whisker)
* [https://specterops.io/blog/2022/02/09/introducing-bloodhound-4-1-the-three-headed-hound/](https://specterops.io/blog/2022/02/09/introducing-bloodhound-4-1-the-three-headed-hound/)