ForgeCert uses the BouncyCastle C# API and a stolen Certificate Authority (CA) certificate + private key to forge certificates for arbitrary users capable of authentication to Active Directory. This attack is codified as DPERSIST1 in our “Certified Pre-Owned” whitepaper. This code base was released ~45 days after the whitepaper was published. @tifkin_ is the primary author of ForgeCert. @tifkin_ and @harmj0y are the primary …