Skip to content

Latest commit

 

History

History
42 lines (24 loc) · 2.88 KB

README.md

File metadata and controls

42 lines (24 loc) · 2.88 KB

TokenCert

Overview

TokenCert is a C# tool that will create a network token (LogonType 9) using a provided certificate via PKINIT. This way, we can have a make-token functionality using certificates instead of passwords. The tool was created after reading the excellent post "Understanding and evading Microsoft Defender for Identity PKINIT detection".

Instead of creating a new process (as the original POC does), we are instead invoking LogonUserA and ImpersonateLoggedOnUser to authenticate and impersonate the specified certificate user. This way, the TGT request for the provided account is performed from the OS avoiding any abnormal behaviors like irregular AS-REQ messages and / or Kerberos Traffic from Unusual Process.

Windows Events

Once the tool is executed we will get the following events:

  • Client - Event 4624 - An account was successfully logged on

client

  • LogonType 9 (New Credentials) - Clones current LSA session for local access, but uses new credentials when connecting to network resources.

    • Network account Name is actually @@Bw8Ep8pKYTYvcuN2U31Y99I1fI2G
    • Effectively is the marshalled credential from the invocation of CredMarshalCredential. It can be reversed using CredUnmarshalCredential. This twitter thread was actually quite interesting
  • Domain Controller - Event 4768 - A Kerberos authentication ticket (TGT) was requested

dc

  • Account Information contains the requesting username (Account Name: alice) and Client Address field the IP of the host that the request originated from
  • Ticket Options is 0x40810010 translating to Forwardable + Renewable + Canonicalize + Renewable Ok. More details here
  • Pre-Authentication Type 16. Typical to see in PKINIT authentication scenarios as it is the PA-PK-AS-REQ. More details for Pre-Authentication Types here

Usage

tokencert.exe -Cert <base64> -Domain <domain> [-Password <PasswordOfCertificate>]

Acknowledgments

This tool is inspired by the research of Synacktiv in their article Understanding and evading Microsoft Defender for Identity PKINIT detection and their tool Invoke-RunAsWithCert

Lefteris (Lefty) Panos @ 2024 - LRQA Red Team