Skip to content

nettitude/TokenCert

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
TokenCert
TokenCert
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
TokenCert.sln
TokenCert.sln
 
 

Repository files navigation

TokenCert

Overview

TokenCert is a C# tool that will create a network token (LogonType 9) using a provided certificate via PKINIT. This way, we can have a make-token functionality using certificates instead of passwords. The tool was created after reading the excellent post "Understanding and evading Microsoft Defender for Identity PKINIT detection".

Instead of creating a new process (as the original POC does), we are instead invoking LogonUserA and ImpersonateLoggedOnUser to authenticate and impersonate the specified certificate user. This way, the TGT request for the provided account is performed from the OS avoiding any abnormal behaviors like irregular AS-REQ messages and / or Kerberos Traffic from Unusual Process.

Windows Events

Once the tool is executed we will get the following events:

  • Client - Event 4624 - An account was successfully logged on

client

  • LogonType 9 (New Credentials) - Clones current LSA session for local access, but uses new credentials when connecting to network resources.

    • Network account Name is actually @@Bw8Ep8pKYTYvcuN2U31Y99I1fI2G
    • Effectively is the marshalled credential from the invocation of CredMarshalCredential. It can be reversed using CredUnmarshalCredential. This twitter thread was actually quite interesting

  • Domain Controller - Event 4768 - A Kerberos authentication ticket (TGT) was requested

dc

  • Account Information contains the requesting username (Account Name: alice) and Client Address field the IP of the host that the request originated from
  • Ticket Options is 0x40810010 translating to Forwardable + Renewable + Canonicalize + Renewable Ok. More details here
  • Pre-Authentication Type 16. Typical to see in PKINIT authentication scenarios as it is the PA-PK-AS-REQ. More details for Pre-Authentication Types here

Usage

tokencert.exe -Cert <base64> -Domain <domain> [-Password <PasswordOfCertificate>]

Acknowledgments

This tool is inspired by the research of Synacktiv in their article Understanding and evading Microsoft Defender for Identity PKINIT detection and their tool Invoke-RunAsWithCert

Lefteris (Lefty) Panos @ 2024 - LRQA Red Team

About

TokenCert

Topics

certificate redteaming redteam adcs redteam-tools redteaming-tools

Resources

Readme
Activity
Custom properties

Stars

90 stars

Watchers

5 watching

Forks

10 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages