Certified Pre-Owned
Last updated
Last updated
Whitepaper published by Will Schroeder and Lee Christensen from .
THEFT1
Exporting certificates and their private keys using Window’s Crypto APIs
THEFT2
Extracting user certificates and private keys using DPAPI
THEFT3
Extracting machine certificates and private keys using DPAPI
THEFT4
Theft of existing certificates via file/directory triage
THEFT5
Using the Kerberos PKINIT protocol to retrieve an account’s NTLM hash
ESC1
Domain escalation via No Issuance Requirements + Enrollable Client Authentication/Smart Card Logon OID templates + CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
ESC2
Domain escalation via No Issuance Requirements + Enrollable Any Purpose EKU or no EKU
ESC3
Domain escalation via No Issuance Requirements + Certificate Request Agent EKU + no enrollment agent restrictions
ESC4
Domain escalation via misconfigured certificate template access control
ESC5
Domain escalation via vulnerable PKI AD Object Access Control
ESC6
Domain escalation via the EDITF_ATTRIBUTESUBJECTALTNAME2 setting on CAs + No Manager Approval + Enrollable Client Authentication/Smart Card Logon OID templates
ESC7
Vulnerable Certificate Authority Access Control
ESC8
NTLM Relay to AD CS HTTP Endpoints
PERSIST1
Account persistence via requests for new authentication certificates for a user
PERSIST2
Account persistence via requests for new authentication certificates for a computer
PERSIST3
Account persistence via renewal of authentication certificates for a user/computer
DPERSIST1
Domain persistence via certificate forgery with stolen CA private keys
DPERSIST2
Domain persistence via certificate forgery from maliciously added root/intermediate/NTAuth CA certificates
DPERSIST3
Domain persistence via malicious misconfigurations that can later cause a domain escalation
A form of credential theft where attackers leverage the stolen user/machine certificates to authenticate to AD.
Tool ForgeCert.
A tool provides a wide range of audit and AD CS functionalities.
