Attackers use such certificates to trick the Key Distribution Center (KDC) to get into the target company’s network.
Shadow Credentials are an example of such an attack. This technique allows an attacker to take over an AD user or computer account.
Certificate-based TGT- Requests
A key distribution center (KDC) in cryptography is a system that is responsible for providing keys to the users in a network that shares sensitive or private data.
TGT is used to request access tokens from the Ticket Granting Service (TGS) for specific resources/systems joined to the domain.
Essentially, a TGT is proof of successful user authentication, usually by password.
Kerberos authentication scheme (Kaspersky)
The method is called Public Key Cryptography for Initial Authentication (PKINIT).
Having Active DirectoryCertificate Services (AD CS) in the corporate network to issue certificates for domain users would actually make it quite easy to set up authentication.
However, not all corporate networks have AD CS. The msDS-KeyCredentialLink attribute was invented for this reason, where the certificate can be written.
(msDS-KeyCredentialLink attribute used to link an RSA key pair with a computer or user object in order to authenticate with said key pair against the KDC to receive a Kerberos TGT)
Therefore KDC will trust this certificate and issue a TGT. But the challenge is the subject that writes the msDS-KeyCredentialLink attribute to some object will also be able to get a ticket for this object.
Illustration of the Attack
Consider logan_howard, having write access in the AD domain, writes a public key to msDS-KeyCredentialLink attribute for a domain controller object using Whisker.
Whisker is a C# tool for taking over AD users and computer accounts by manipulating their msDS-KeyCredentialLink attribute.
The subject receives the TGT issued to the domain controller.
With the TGT, the subject receives a TGS ticket to synchronize password information in the domain.
As a part of the research, Securelist gets the KDC to trust a particular certificate, including stolen or forged ones. This triggered event 4768 on the domain controller.
This event may contain artifacts from the certificate used for authentication, with three fields: CertIssuerName, CertSerialNumber, and CertThumbprint.
Kaspersky created several TGT request events based on a forged certificate generated using Whisker.
