Certipy

In this case, you should try SChannel authentication and logging into LDAP. certipy auth -pfx adm.pfx -ldap-shell | You can use a certificate for WinRM authentication... evil-winrm -S -k ./key.pem -c ./cert.crt -i 10.10.11.152

In this case, you should try SChannel authentication and logging into LDAP. certipy auth -pfx adm.pfx -ldap-shell | You can use a certificate for WinRM authentication... evil-winrm -S -k ./key.pem -c ./cert.crt -i 10.10.11.152

Add Shadow Credentials Same as before, we’ll create shadow credentials using Certipy: certipy-ad shadow auto ... Adding shadow creds to james account | Modify the UPN ... we’ll set it to a DC machine account — in this case, LAB-DC.LAB.LOCAL for Schannel certificate-based authentication. certipy-ad account update ... -upn 'lab-dc$@lab.local'

Creating a New Computer Account ... we can create a new computer account using Certipy’s built-in add_computer command ... We’ll create a machine account named rbcd-test$.

If the certificate template lacks the required security extension (objectSid), and we control a user account, we can manipulate its attributes to request a certificate that gets mapped to a different identity, like a DA.

In this case, you should try SChannel authentication and logging into LDAP. certipy auth -pfx adm.pfx -ldap-shell | You can use a certificate for WinRM authentication... evil-winrm -S -k ./key.pem -c ./cert.crt -i 10.10.11.152

Add Shadow Credentials Same as before, we’ll create shadow credentials using Certipy: certipy-ad shadow auto ... Adding shadow creds to james account | Modify the UPN ... we’ll set it to a DC machine account — in this case, LAB-DC.LAB.LOCAL for Schannel certificate-based authentication. certipy-ad account update ... -upn 'lab-dc$@lab.local'

Since the UPN now matches that of the administrator, the certificate will be mapped to the administrator account during authentication, allowing us to impersonate them.

In this scenario, our current domain user LAB.LOCAL\Black Wasp has Full Control, including both WriteOwner and WriteDacl rights over the template... the screenshot below shows that our user blwasp@lab.local has GenericAll rights over the ESC4 template.

In this case, you should try SChannel authentication and logging into LDAP. certipy auth -pfx adm.pfx -ldap-shell | You can use a certificate for WinRM authentication... evil-winrm -S -k ./key.pem -c ./cert.crt -i 10.10.11.152

Since the UPN now matches that of the administrator, the certificate will be mapped to the administrator account during authentication, allowing us to impersonate them.

If the certificate template lacks the required security extension (objectSid), and we control a user account, we can manipulate its attributes to request a certificate that gets mapped to a different identity, like a DA.

This method relies on the ability to obtain the user’s NTLM hash using the PKINIT mechanism... Got NT hash for 'administrator@contoso.com'

If the certificate template lacks the required security extension (objectSid), and we control a user account, we can manipulate its attributes to request a certificate that gets mapped to a different identity, like a DA.

So, this is the most common use case for a certificate with Client Authentication EKU. If you can authenticate with the certificate, then you are able to get a TGT ticket.

Through these techniques, threat actors abuse certificate templates which don’t require manager approval and include enrollment rights for low privileged users / groups.

Shadow Credentials let us generate our own key pair and inject it into the msDS-KeyCredentialLink attribute of the target account. This gives us a way to authenticate as the user james without changing their actual password.

This method relies on the ability to obtain the user’s NTLM hash using the PKINIT mechanism. Rubeus asktgt /getcredential... Trying to retrieve NT hash... Got NT hash | Attacks on AD CS are becoming more popular by the day... You are more likely to get a certificate during exploitation... We may have stolen it from somewhere, such as a network share.

“SharpHound & Certipy: Used for deep reconnaissance of Active Directory environments.”

The first step for threat actors after initial access is usually enumeration. Threat actors need to enumerate the certificate templates available for their compromised user as well as other AD attributes, in order to determine whether any of the ESC techniques is viable.

We start by finding certificate templates that are vulnerable to ESC9. For that, we can use Certipy and provide domain user credentials along with the domain controller IP.

Use the auth command to authenticate as administrator and grab the NT hash: certipy auth -pfx administrator.pfx -domain lab.local -dc-ip 10.129.228.236 ... Retrieved the Administrator NT hash

Now using this hash, authenticate to Machine with evil-winrm... evil-winrm -i 10.10.11.41 -u management_svc -H a091c1832bcdd4677c28b5a6a1295584

Set RBCD on the DC ... the command modifies the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on the DC’s computer object to include our new machine account.

It leverages endpoint process and filesystem data to spot the creation of files with specific names or extensions associated with Certipy's information gathering and exfiltration activities.