Active Directory Certificate Services
AD CS is Microsoft PKI implementation that integrates with existing Active Directory forests, and provides everything from encrypting file systems to digital signatures, to user authentication. While AD CS is not installed by default it is widely deployed.
Attackers con request or renew certificates for users and computers, providing the same persistence approach as other techniques.
The certutil binary is a command line tool which can be used to quickly discover if there is a certificate authority on the domain.
We can verify the server has been identified as adcs.dominioncyber.local
I'll proceed with utilizing ntlmrelay from impacket suite we can capture the authentication of the Domain Controller machine Account and relay it to the Certification Authority Server
We can force authentication via PetitPotam this will make an API call (EfsRpcOpenFileRaw) that will trigger the machine account to authenticate to another system
We can see a successful attack since we can monitor that the Certificate was captured, when passing credentials onto Petitpotam we notice the authentication was successful
Here the tool mentioning it has been successful
The certificate will be generated in Base64 format
Moving back to the Windows Workstation we can utilize Rubeus to pass the Ticket
Successfully passing the ticket can be verified by using the klist command on the cmd
We can DCSync the Domain with these permissions