Add Key Credential

Description

The Source security principal can impersonate the Target by exploiting key trust account mappings, also known as key credentials or "shadow credentials".

This is possible because the Source has permission to edit the msDS-KeyCredentialLink attribute of the Target.

Windows Hello for Business (WHfB) normally uses this feature, but it is available for attackers to exploit it even if it is not in use.

Exploitation

Attackers who compromise the Source security principal must edit the msDS-KeyCredentialLink attribute of the Target computer by using specialized hacker tools such as Whisker or DSInternals.

The attackers' goal is to add a new certificate to this target's attribute, for which they have the private key. They can then authenticate as the Target with the known private key using the Kerberos PKINIT protocol to obtain a TGT. This protocol also allows attackers to fetch the target's NTLM hash.

Remediation

Several natively privileged security principals have this permission by default, namely Account Operators, Administrators, Domain Admins, Enterprise Admins, Enterprise Key Admins, Key Admins, and SYSTEM. These legitimate security principals do not require remediation.

For Source security principals without a legitimate need to modify this attribute, you must remove this permission. Search for permissions such as "Write all properties", "Write msDS-AllowedToActOnBehalfOfOtherIdentity", "Full control", etc.

See also