Abuse Info
Windows
Step 1: Use Certify (2.0) to request an enrollment agent certificate.mail or dNSHostName attribute set, which is required by the certificate template. The mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be set on computer objects. Computers have validated write permission to their own dNSHostName attribute by default, but neither users nor computers can write to their own mail attribute by default.
Step 2: Use the enrollment agent certificate to issue a certificate request on behalf of another user to a certificate template that allows for authentication and permits enrollment agent enrollment.
mail or dNSHostName attribute set, which is required by the certificate template. Choose another target with the given attribute set.
The certificate PFX is printed to the console in a base64-encoded format.
Step 3: With Rubeus, use the issued certificate to authenticate to the domain and request a TGT, specifying the identity you intend to impersonate:
Linux
Step 1: Use Certify to request an enrollment agent certificate.mail or dNSHostName attribute set, which is required by the certificate template. The mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be set on computer objects. Computers have validated write permission to their own dNSHostName attribute by default, but neither users nor computers can write to their own mail attribute by default.
Step 2: Use the enrollment agent certificate to issue a certificate request on behalf of another user to a certificate template that allow for authentication and permit enrollment agent enrollment.
mail or dNSHostName attribute set, which is required by the certificate template. Choose another target with the given attribute set.
Step 3: Request a ticket granting ticket (TGT) from the domain, specifying the target identity to impersonate and the PFX-formatted certificate created in Step 2.
Opsec Considerations
When the affected certificate authority issues the certificate to the attacker, it will retain a local copy of that certificate in its issued certificates store. Defenders may analyze those issued certificates to identify illegitimately issued certificates and identify the principal that requested the certificate, as well as the target identity the attacker is attempting to impersonate.Edge Schema
Source: User, Group, ComputerDestination: Domain
Traversable: Yes