Feature: Add Certipy [shadow] command to Linux abuse section for Shadow Attack scenarios

[strikoder]

Feature Description

Add support for the Certipy [shadow] technique in the Linux abuse section for cases where Shadow Attack exploitation is applicable (for example when the target account has GenericAll or similar privileges over a certificate template or object). Unlike pywhisker, which outputs only a certificate and requires additional tools (such as PKINITtools) to generate a TGT, Certipy’s shadow functionality directly produces both a usable TGT and the corresponding hash, making the workflow more complete and efficient.

Are you intending to implement this feature?

Yes

Current Behavior

The Linux abuse section currently documents and demonstrates the use of pywhisker for certificate-based abuse paths. While functional, it only produces a certificate file and does not generate a TGT or NTLM hash. Users must rely on external tooling (e.g., PKINITtools) to complete the attack chain.

Use Case

Users performing AD CS abuse from Linux often require a full Shadow Attack chain (certificate → TGT → hash). Certipy’s [shadow] support removes the need for multiple tools and ensures the workflow matches what BloodHound’s abuse recommendations are intended to provide smooth attack vectors.

Implementation Suggestions

Add Certipy [shadow] examples to the relevant Shadow Credentials attack, Linux abuse sections (e.g., GenericAll)

Additional Information

Certipy documentation: https://github.com/ly4k/Certipy