Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan

This webcast transcript details an Active Directory abuse technique called "shadow credentials" where attackers coerce Windows services, capture machine authentication, and relay it to update the msDS-KeyCredentialLink attribute—allowing certificate-based authentication as a computer object to obtain Kerberos tickets and escalate to administrative privileges. The talk covers a step‑by‑step lab (SSH tunnels, PetitPotem, NTLMRelayX, PKINIT, Whisker), practical detection challenges (msDS-KeyCredentialLink is not audited by default), and primary mitigations (enforce LDAP signing/channel binding and SMB signing, restrict who can write the attribute, and enable targeted auditing).