[bug] (post–Microsoft patch) Fix Shadow Credentials validated write requirements for computer accounts adding a certificate to themselves

[azoxlpf]

Following the Twitter thread by @Defte_, Microsoft changed the validated write rules for the msDS-KeyCredentialLink attribute, which broke Shadow Credentials attacks.

This PR adds the correct KeyCredential format is used (CustomKeyInformation with MFANotUsed flag and no LastLogonTime).

Dependency: This change depends on pydsinternals, which updates the KeyCredential blob format for Microsoft’s new validated write requirements. That PR must be merged before this one works correctly.

Before :

After :

[Signum21]

I'm not sure this is the correct way to check for a machine account, users can also end with a $ and computers may also not be in the CN=Computer path (eg: Domain Controllers).
Looking at other pull requests in other tools, it's not differentiated between users and computers account, I haven't tested it myself but maybe the config for machine accounts works also for users.

[azoxlpf]

I'm not sure this is the correct way to check for a machine account, users can also end with a $ and computers may also not be in the CN=Computer path (eg: Domain Controllers).
Looking at other pull requests in other tools, it's not differentiated between users and computers account, I haven't tested it myself but maybe the config for machine accounts works also for users.

I tested it, and the machine account configuration (isComputerKey=True) also works for user accounts. So you can actually use the same configuration for both

[p0dalirius]

Hey,

Thank you @azoxlpf, I published version pydsinternals 1.2.5 https://github.com/p0dalirius/pydsinternals/releases/tag/1.2.5 with your PR addressing this

Best regards,