UC0004: Pass the certificate
Summary
| ID | UC0004 |
|---|---|
| Brief Description | Attackers can use valid certificate and associated private key for get Ticket Granting Tickets (TGT) |
| Author | @ERMACK_COMMUNITY |
| Creation Date | 2023/05/10 |
| Modification Date | 2023/05/27 |
| ATT&CK Tactics | |
| Linked Response Playbooks | |
| Artifacts |
Description
Attackers can use valid certificate and associated private key for get TGT using Public Key Cryptography for Initial Authentication (PKINIT) Kerberos extension.
Attack mapping
| ARTIFACT | OBJECT | DESCRIPTION |
|---|---|---|
| Attack Prerequisites | ||
| Certificate Authority | Server in domain with Certificate Authority Role | Server with Active Directory Certificate Services and Certificate Authority configured |
| Authentication Service | Authentication service on domain controller | Authentication Service must have a certificate for Server Authentication for PKINIT |
| Certificate | Certificate signed with the private key | Certificate signed with the private key which will be checked during authentication |
| Private key | Private key associated with the certificate | Private key with which they sign the certificate. Attackers can have access to the private key as a file, or the ability to perform cryptographic operations with the private key without direct access to it (usually this requires code execution from the user context) |
| Side Observables | ||
| File | PKCS#12 format file (.pfx or .p12) | File with a certificate and an associated private key which is needed to obtain TGT |
| File | Executable or script file | Executable or script file that attackers use to carry out an attack (e.g. Rubeus.exe) |
Attack result
The result of this attack is a Ticket Granting Tickets, which the attacker can use. This means that the attacker was authenticated in the domain on behalf of the user specified in the certificate
| RESOURCE | DESCRIPTION |
|---|---|
| Attack Prerequisites | |
| Certificate | Certificate signed with the private key which will be checked during authentication |
| Private key | Private key with which they sign the certificate. Attackers can have access to the private key as a file, or the ability to perform cryptographic operations with the private key without direct access to it (usually this requires code execution from the user context) |
| Result Consequences | |
| Ticket Granting Tickets | Ticket Granting Tickets which the attacker can use |
Attack progress
Depending on access to the private key (as a file or as the ability to perform cryptographic operations with it), there are two options for attacking
First option - access to the private key as a file
- From certificate and an associated private key create PKCS#12 format file
- Request TGT with PKCS#12 format file using PKINIT
Some tools for carry out this attack
1.
2.Second option - access to the private key as the ability to perform cryptographic operations with it
- From user context, request tgt with specific certificate
Some tools for carry out this attack
1.