Skip to main content
This section demonstrates how to use Certify to implement certificate-based persistence techniques for maintaining long-term access to user accounts.

Account Persistence Techniques

Certificate-based persistence allows attackers to maintain access to compromised accounts even after password changes or other remediation efforts. The following techniques leverage Active Directory Certificate Services (AD CS) to establish persistent authentication mechanisms:

PERSIST1 - User Persistence via Certificates

Extend initial access to a user into persistent access by requesting a client authentication certificate in the context of the user account, which can be used for future authentication.

PERSIST2 - Machine Persistence via Certificates

Extend initial access to a machine into persistent access by requesting a client authentication certificate in the context of the machine account.

PERSIST3 - Account Persistence via Certificate Renewal

Extend the lifetime of persistence obtained through PERSIST1 or PERSIST2 by continuously renewing certificates before expiration.

Key Concepts

Certificate-based authentication in Active Directory allows users and machines to authenticate using X.509 certificates instead of traditional passwords. When properly configured, these certificates can be used with Kerberos PKINIT to obtain Ticket Granting Tickets (TGTs).
For persistence techniques to work, certificate templates must meet specific criteria including enrollment rights, disabled manager approval, and appropriate Extended Key Usages (EKUs) for client authentication.
Microsoft’s Strong Certificate Mapping includes the Security Identifier (SID) in certificates to prevent certain attacks, while Weak Certificate Mapping relies only on Subject Alternative Names (SANs) and is more vulnerable to abuse.

Prerequisites

These techniques require existing access to Active Directory and appropriate certificate enrollment permissions. They should only be used in authorized testing scenarios.
  • Access to an Active Directory environment with AD CS deployed
  • User or machine account with certificate enrollment permissions
  • Knowledge of vulnerable certificate templates
  • Understanding of the target environment’s certificate mapping configuration

Detection and Mitigation

Organizations should monitor for:
  • Unusual certificate enrollment activities
  • Certificates with suspicious Subject Alternative Names
  • Authentication events using certificates for unexpected accounts
  • Regular auditing of certificate template configurations

Next Steps

Select a specific persistence technique from the list above to learn detailed implementation steps, enumeration methods, and exploitation techniques.