Add Technique
https://github.com/Dec0ne/KrbRelayUp#update---shadow-credentials-support
I added some features to support this attack primitive using shadow credentials. Note this eliminates the need for adding (or owning) another machine account.
Note: this attack method bypasses the Protected Users (or 'Account is sensitive and cannot be delegated') mitigation due to the S4U2Self abuse.
Local machine account auth coercion ([KrbRelay](https://github.com/cube0x0/KrbRelay))
Kerberos relay to LDAP ([KrbRelay](https://github.com/cube0x0/KrbRelay))
Generate new KeyCredential and add it to the local machine account's 'msDS-KeyCredentialLink' attribute. ([Whisker](https://github.com/eladshamir/Whisker) and [KrbRelay](https://github.com/cube0x0/KrbRelay))
Using said KeyCredential to obtain a TGT for the local machine account via PKInit. ([Rubeus](https://github.com/GhostPack/Rubeus/))
Using the TGT to obtain privileged ST to local machine via S4U2Self and TGSSUB. ([Rubeus](https://github.com/GhostPack/Rubeus/))
Using said ST to authenticate to local Service Manager and create a new service as NT/SYSTEM. ([SCMUACBypass](https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82))
