The client has a public-private key pair, and encrypts the pre-authentication data with their private key, and the KDC decrypts it with the client’s public key. The KDC also has a public-private key pair, allowing for the exchange of a session key. (specterops.io)
msDS-KeyCredentialLink
where raw public keys can be set. When trying to pre-authenticate with PKINIT, the KDC will check that the authenticating user has knowledge of the matching private key, and a TGT will be sent if there is a match.msDS-KeyCredentialLink
(a.k.a. "kcl") attribute of other objects (e.g. member of a special group, has powerful ACEs, etc.). This allows attackers to create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target object (can be a user or a computer).msDs-KeyCredentialLink
attribute.msDS-KeyCredentialLink
feature was introduced with Windows Server 2016.msDs-KeyCredentialLink
attributemsDs-KeyCredentialLink
attribute of a user or computer target can be manipulated with the pyWhisker tool.msDs-KeyCredentialLink
of the target, the certificate generated can be used with Pass-the-Certificate to obtain a TGT and further access.msDs-KeyCredentialLink
attribute of a target user or computer can be manipulated with the Whisker tool.msDs-KeyCredentialLink
of the target, the certificate generated can be used with Pass-the-Certificate to obtain a TGT and further access.msDS-KeyCredentialLink
attribute while computer objects can. This means the following scenario could work: trigger an NTLM authentication from DC01, relay it to DC02, make pywhisker edit DC01's attribute to create a Kerberos PKINIT pre-authentication backdoor on it, and have persistent access to DC01 with PKINIT and pass-the-cache.msDS-KeyCredentialLink
attribute but can only add a KeyCredential if none already exists.