This guide demonstrates how an attacker can use a stolen administrator.pfx certificate or a derived administrator.ccache Kerberos ticket to authenticate via PKINIT and obtain remote command execution or interactive shells in an Active Directory domain. Techniques use NetExec for direct PFX authentication and Impacket/Evil-WinRM for CCACHE-based authentication across SMB, WMI, WinRM, and MSSQL, and the article includes detection opportunities and defensive recommendations. #PassTheCertificate #administrator_pfx
Keypoints
- Pass-the-Certificate leverages X.509/PKINIT to authenticate with a .pfx file instead of passwords or NTLM hashes.
- NetExec supports direct PFX authentication over SMB, WMI, WinRM, and MSSQL to execute commands on domain-joined hosts.
- Impacket tools and Evil-WinRM can use a converted administrator.ccache ticket for passwordless Kerberos authentication and interactive shells.
- WmiExec is the stealthiest execution method (no disk/service artifacts) while PsExec is the most detectable (creates services and drops executables).
- Defensive measures include auditing AD CS templates, monitoring Kerberos events (e.g., 4768/4769), enforcing certificate rotation and PKINIT freshness, and restricting administrative protocol access.
Read More: https://www.hackingarticles.in/lateral-movement-pass-the-certificate/