Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.specterops.io/llms.txt

Use this file to discover all available pages before exploring further.

DPERSIST1 is a technique used to extend one-time privileged access to a CA server into unrestricted privileged access across the entire environment. Specifically, once privileged access has been obtained on a CA server, it is possible to extract the CA signing certificate and associated private key, and use these to sign self-made certificates for arbitrary identities and purposes in the environment, thereby making these self-made certificates trusted for authentication in the Active Directory domain.
This technique provides unrestricted persistence in the domain and should only be used in authorized testing scenarios with proper approval.
Effectively, this technique can be used for unrestricted persistence in the domain, as it allows the adversary to forge certificates for arbitrary users and purposes. However, if the CA server is not being treated as a Tier 0 asset, and server admins equivalent to Tier 1 has administrative privileges on the server, this technique can be used for privilege escalation.

Obtaining the CA Signing Certificate

In order to execute DPERSIST1, we must first obtain the CA signing certificate. This can be done in a plethora of ways:
  • Open certsrv.msc
  • Right click the CA -> All Tasks -> Back up CA...
  • Follow the wizard but make sure to check Private key and CA certificate
  • The certificate should now exist at the chosen location (CA-NAME.p12)
  • Open certlm.msc
  • Go to Personal -> Certificates
  • Right click the CA signing certificate -> All Tasks -> Export...
  • Follow the wizard but make sure to choose Yes, export the private key
  • The certificate should not exist at the chosen location (CA-NAME.pfx)
certutil.exe -backupkey <directory>
This feature has been implemented in Certify with the manage-self --dump-certs command.

Dumping Certificates with Certify

Certify.exe manage-self --dump-certs

Forging Certificates

Once the CA signing certificate has been obtained, we can start forging our own certificates for arbitrary users. This can be done using the forge --ca-cert <pfx-path/base64-pfx> command from Certify. 
Certify.exe forge --ca-cert MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqh... --upn Administrator --sid S-1-5-21-976219687-1556195986-4104514715-500

Using the Forged Certificate

When the certificate has been forged, it can be used to persistently authenticate as the target account using the asktgt command from Rubeus. 
Rubeus.exe asktgt /user:Administrator /certificate:MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqh...