AD CS Abuse
AD CS : Active Directory Certificate Services
CA : Certification Authority
EKU : Extended Key Usage
SAN : Subject Alternative Name (subjectAltName)
CSR : Certificate Signing Request
CES : Certificate Enrollment Web Service
CAPI : CryptoAPI
CNG : Cryptography API: Next Generation
EKU OIDs that can enable certificate authentication:
Client Authentication
1.3.6.1.5.5.7.3.2
PKINIT Client Authentication
1.3.6.1.5.2.3.4
Smart Card Logon
1.3.6.1.4.1.311.20.2.2
Any Purpose EKU
2.5.29.37.0
Subordinate CA certificate
No EKU set
Enumerate AD CS
Enumerate AD Enterprise CAs and their settings with LDAP:
Get list of template names:
Enumerate AD Enterprise CAs with certutil from a domain-joined machine:
Hunt for Certificates
Export Certificates
Export a certificate from user's context.
With certmgr:
Run →
certmgr.msc
→ Action → All Tasks → Export ...
With PowerShell:
With CertStealer:
If the private key is non-exportable, use Mimikatz's crypto::capi
(to patch CAPI in current process) or crypto::cng
(to patch lsass.exe
memory):
DPAPI User Keys
Decrypt a domain user's masterkey with domain's backup key with Mimikatz:
Decrypt masterkey if user's plaintext password is known with Mimikatz:
Simplify the process with SharpDPAPI providing it a file with one or more {GUID}:SHA1
masterkey mappings (will output a .pem
file):
DPAPI Machine Keys
It's not possible to decrypt machine keys using the domain's DPAPI backup key, so the adversary can use the DPAPI_SYSTEM
LSA secret on the system which is accessible only by the SYSTEM user:
After converting the output to .pfx
and if the appropriate EKU scenario is present, the adversary can use that .pfx
for domain authentication as the computer account (see PERSIST2).
Search for Certificate Files
Find certificate files lying around with Seatbelt:
Some other certificate-related file extensions:
.key
The private key.
.crt
/.cer
The certificate.
.csr
Signing request file. Does not contain certificates or keys.
.jks
/.keystore
/.keys
Java Keystore. May contain certificates + private keys used by Java apps.
List EKUs for a certificate with PowerShell:
Parse .pfx
with certutil:
Correlate a certificate with a CA thumbprint on the host and in AD:
Steal NTLM via PKINIT
Request NTLM hash when the account is authenticated with a TGT through PKINIT with Kekeo:
Domain Escalation via Certificates
Discover vulnerable templates:
Modifiable SAN + Smart Card Logon or Client Authentication or PKINIT Client Authentication EKUs
Condition: the vulnerable certificate template allows requesters to specify a SAN in the CSR as well as allows Smart Card Logon (1.3.6.1.4.1.311.20.2.2
) or Client Authentication (1.3.6.1.5.5.7.3.2
) or PKINIT Client Authentication (1.3.6.1.5.2.3.4
) EKUs.
Find template with this misconfiguration:
Request a certificate specifying the /altname
as a domain admin:
Modifiable SAN + Any Purpose EKU
Condition: the vulnerable certificate template allows requesters to specify a SAN in the CSR as well as allows Any Purpose EKU (2.5.29.37.0
).
Find template with this misconfiguration:
Request a certificate specifying the /altname
as a domain admin like in ESC1.
Agent Certificate + Enroll on Behalf of Another User
Conditions:
A template allows a low-privileged user to use an enrollment agent certificate.
Another template allows a low privileged user to use the enrollment agent certificate to request a certificate on behalf of another user, and the template defines an EKU that allows for domain authentication.
1. Request an enrollment agent certificate:
2. Request a certificate on behalf of another to a template that allow for domain authentication:
Vulnerable Certificate Template ACEs
Owner
Implicit full control of the object, can edit any properties.
FullControl
Full control of the object, can edit any properties.
WriteOwner
Can modify the owner to an adversary-controlled principal.
WriteDacl
Can modify access control to grant an adversary FullControl
.
WriteProperty
Can edit any properties.
EDITF_ATTRIBUTESUBJECTALTNAME2
EDITF_ATTRIBUTESUBJECTALTNAME2
If this flag is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name.
This means that an adversary can enroll in any template configured for domain authentication that also allows unprivileged users to enroll (e.g., the default User
template) and obtain a certificate that allows to authenticate as a domain admin or any other active user/machine.
Discover with certutil:
Discover with Certify:
To abuse request a certificate specifying an /altname
with any template that allows for domain auth (e.g., the default User
template which normally doesn't allow to specify alternative names):
This setting can be set with domain admin's privileges like this (dangerous, do not do this!):
Remove this setting:
Vulnerable CA ACEs
Enumarate CA ACEs with Powershell PSPKI:
ManageCA
and ManageCertificates
rights translate to the "CA Administrator" and "Certificate Manager" ("CA Officer") respectively.
The "CA Administrator" role allows to set the EDITF_ATTRIBUTESUBJECTALTNAME2
flag (see ESC6):
The "Certificate Manager" role allows to remotely approve pending certificate requests which can by used by an adversary to subvert the "CA certificate manager approval" protection:
Last updated