abusing-shadow-credentials-for-privesc
mukul975/Anthropic-Cybersecurity-Skills
This technique exploits the Active Directory attribute `msDS-KeyCredentialLink` by injecting attacker-controlled public keys (Shadow Credentials). Using tools like pyWhisker and Certipy, the attacker forces the target account to register a new key. Subsequently, by leveraging PKINIT (Public Key Cryptography for Initial Authentication in Kerberos), the attacker can obtain a service ticket and recover the target's NT hash, achieving a stealthy, password-less, complete account takeover.