Golden certificate

Theory

Golden certificates usually refer to one of two types of attacks.

Forge certificate and sign them with the CA cert private key --> #stolen-ca
Modify a template and turn it into a SmartCard template --> access-controls.md

Most tools (certsync, certipy) and resources refer to the #stolen-ca technique when mentioning Golden Certificates. Since Golden Tickets consist in Kerberos tickets forged when knowing the KRBTGT keys, it makes sense to call "Golden Certificate" a technique that consists in forging a certificate when knowing the CA private key.

Resources

https://cyberstoph.org/posts/2019/12/an-introduction-to-golden-certificates/

https://www.hackingarticles.in/domain-persistence-golden-certificate-attack/

https://san3ncrypt3d.com/2022/02/19/gc/

Reconnaissance

Movement

Credentials

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Netlogon

Certificate Services (AD-CS)

SCCM / MECM

Exchange services

Print Spooler Service

Schannel

Built-ins & settings

Kerberos

Certificate Services (AD-CS)

HTTP security headers

Identity and Access Management

File inclusion

LFI to RCE

Initial access (protocols)

Windows

UNIX-like

(AV) Anti-Virus

Mifare Classic

Android

Golden certificate

Theory

Resources

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Certificate Services (AD-CS)

SCCM / MECM

Certificate Services (AD-CS)

HTTP security headers

File inclusion

LFI to RCE

Windows

UNIX-like

Mifare Classic

Golden certificate ​

Theory ​

Resources ​

Golden certificate

Theory

Resources