Abuse Info
An attacker may perform this attack in the following steps:Step 1: Request enrollment in the affected template
On Windows, use Certify (2.0) to request enrollment in the affected template, specifying the affected certification authority:mail or dNSHostName attribute set, which is required by the certificate template. The mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be set on computer objects. Computers have validated write permission to their own dNSHostName attribute by default, but neither users nor computers can write to their own mail attribute by default.
The certificate PFX is printed to the console in a base64-encoded format.
Step 2: Request a ticket granting ticket (TGT)
On Windows, use Rubeus to request a TGT from the domain, specifying the attacker identity and the base64-encoded certificate from Step 1:Opsec Considerations
When the affected certificate authority issues the certificate to the attacker, it will retain a local copy of that certificate in its issued certificates store. Defenders may analyze those issued certificates to identify illegitimately issued certificates and identify the principal that requested the certificate.Edge Schema
Source: User, Group, ComputerDestination: Group
Traversable: Yes