Using “certutil”

Calculating File Hashes

CertUtil -hashfile $FILE_PATH $ALGORITHM

The algorithm can be excluded (in which case SHA1 is used).

Enumerating AD CS Templates

AD CS is AD’s PKI, and is used on the back end for everything from provisioning disk encryption keys to user authentication. Certificate templates are a way to automate the certificate request process: Rather than an admin approving all CSRs manually, AD CS checks to see if a relevant “template” (which is really a template + associated settings + an access policy) exists that matches the supplied CSR and is configured to allow the requesting user to generate a certificate.

Enumerate all certificate templates from a domain-joined computer and domain-authenticated user:

certutil -v -template

(There are actually some other requirements - like fully automated certificate provisioning - but by default these are all satisfied.)

If a certificate has the following properties, then we can use it to create a certificate in the name of another user and then forge Kerberos tickets for that user with a tool like Rubeus.