Active Directory Certificate Services

AD CS is Microsoft PKI implementation that integrates with existing Active Directory forests, and provides everything from encrypting file systems to digital signatures, to user authentication. While AD CS is not installed by default it is widely deployed.

Attackers con request or renew certificates for users and computers, providing the same persistence approach as other techniques.

The certutil binary is a command line tool which can be used to quickly discover if there is a certificate authority on the domain.

We can verify the server has been identified as adcs.dominioncyber.local

I'll proceed with utilizing ntlmrelay from impacket suite we can capture the authentication of the Domain Controller machine Account and relay it to the Certification Authority Server

ntlmrelay -t http://IPOFADCS/certsrv/certfnsh.asp-smb2support --adcs --template DomainController

We can force authentication via PetitPotam this will make an API call (EfsRpcOpenFileRaw) that will trigger the machine account to authenticate to another system

We can see a successful attack since we can monitor that the Certificate was captured, when passing credentials onto Petitpotam we notice the authentication was successful

Here the tool mentioning it has been successful

The certificate will be generated in Base64 format

Moving back to the Windows Workstation we can utilize Rubeus to pass the Ticket

Successfully passing the ticket can be verified by using the klist command on the cmd

We can DCSync the Domain with these permissions