AD CS Abuse
Active Directory Certificate Services
This page is a selective copy-paste of the Certified Pre-Owned PDF (mainly offensive techniques) without testing "in the wild"! When any of the discussed techniques is actually performed by me during an engagement, corresponding notes are get reviewed, supplemented with examples from my personal experience and put into a separate section, e. g. ESC1, ESC8, etc.
Glossary
AD CS 👉🏻 Active Directory Certificate Services
CA 👉🏻 Certification Authority
EKU 👉🏻 Extended Key Usage
SAN 👉🏻 Subject Alternative Name (subjectAltName)
CSR 👉🏻 Certificate Signing Request
CES 👉🏻 Certificate Enrollment Web Service
CAPI 👉🏻 CryptoAPI
CNG 👉🏻 Cryptography API: Next Generation
EKU OIDs that can enable certificate authentication:
Enumerate
Enumerate AD Enterprise CAs and their settings with PowerShell:
Enumerate AD Enterprise CAs with CME:
Get list of certificate template names:
Enumerate AD Enterprise CAs with certutil from a domain-joined machine:
Look for artefacts in RPC dumps like adcshunter does:
Hunt for Certificates
Export Certificates (THEFT1)
Export a certificate from user's context.
With certmgr:
Run →
certmgr.msc
→ Action → All Tasks → Export ...
With PowerShell:
With CertStealer:
If the private key is non-exportable, use Mimikatz's crypto::capi
(to patch CAPI in current process) or crypto::cng
(to patch lsass.exe
memory):
DPAPI User Keys (THEFT2)
Decrypt a domain user's masterkey with domain's backup key with Mimikatz:
Decrypt masterkey if user's plaintext password is known with Mimikatz:
Simplify the process with SharpDPAPI providing it a file with one or more {GUID}:SHA1
masterkey mappings (will output a .pem
file):
DPAPI Machine Keys (THEFT3)
It's not possible to decrypt machine keys using the domain's DPAPI backup key, so the adversary can use the DPAPI_SYSTEM
LSA secret on the system which is accessible only by the SYSTEM user:
After converting the output to .pfx
and if the appropriate EKU scenario is present, the adversary can use that .pfx
for domain authentication as the computer account (see PERSIST2).
Search for Certificate Files (THEFT4)
Find certificate files lying around with Seatbelt:
Some other certificate-related file extensions:
List EKUs for a certificate with PowerShell:
Parse .pfx
with certutil:
Correlate a certificate with a CA thumbprint on the host and in AD:
Steal NTLM via PKINIT (THEFT5)
Request NTLM hash when the account is authenticated with a TGT through PKINIT with Kekeo:
Persistence via Certificates
User Persistence (PERSIST1)
Find certificate templates available for enrollment for the current user:
Search for any template that allows domain authentication (a stock published template that allows client authentication is the User
template).
Request a new certificate for enrolling current user context:
This will output a certificate and private key in .pem
. To convert it to .pfx
compatible with Rubeus do:
After that an adversary can upload it to target and use Rubeus to request a valid TGT, for as long as the certificate is valid (default certificate lifetime is one year):
This approach will work even if the user changes their password. Combined with the THEFT5 technique, an adversary can also persistently obtain the account's NTLM hash.
Machine Persistence (PERSIST2)
Same as for PERSIST1 but requesting a certificate for enrolling current machine context:
With access to a machine account certificate an adversary can use S4U2Self to obtain a Kerberos ticket to any service on the host (see RBCD Abuse) or generate a silver ticket.
Certificate Renewal
Certificate template validity period - determines how long an issued certificate can be used.
Certificate template renewal period - determines a window of time before the certificate expires where an account can renew it from the issuing certificate authority.
An adversary can renew the compromised certificate before the validity period expires, and so that extend their access to AD without requesting additional ticket enrollments.
Domain Escalation via Certificates
Modifiable SAN + Any Purpose EKU (ESC2)
Condition: the vulnerable certificate template allows requesters to specify a SAN in the CSR as well as allows Any Purpose EKU (2.5.29.37.0
).
Find template with this misconfiguration:
Request a certificate specifying the /altname
as a domain admin like in ESC1.
Agent Certificate + Enroll on Behalf of Another User (ESC3)
Conditions:
A template allows a low-privileged user to use an enrollment agent certificate.
Another template allows a low privileged user to use the enrollment agent certificate to request a certificate on behalf of another user, and the template defines an EKU that allows for domain authentication.
1. Request an enrollment agent certificate:
2. Request a certificate on behalf of another user based on a template that allows domain authentication:
Vulnerable PKI Object ACEs (ESC5)
EDITF_ATTRIBUTESUBJECTALTNAME2 (ESC6)
If this flag is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name.
This means that an adversary can enroll in any template configured for domain authentication that also allows unprivileged users to enroll (e. g., the default User
template) and obtain a certificate that allows to authenticate as a domain admin or any other active user/machine.
Discover with certutil:
Discover with Certify:
To abuse request a certificate specifying an /altname
with any template that allows for domain auth (e. g., the default User
template which normally doesn't allow to specify alternative names):
This setting can be set with domain admin's privileges like this (dangerous, do not do this!):
Remove this setting:
Vulnerable CA ACEs (ESC7)
Enumarate CA ACEs with Powershell PSPKI:
ManageCA
and ManageCertificates
rights translate to the "CA Administrator" and "Certificate Manager" ("CA Officer") respectively.
The "CA Administrator" role allows to set the EDITF_ATTRIBUTESUBJECTALTNAME2
flag (see ESC6):
The "Certificate Manager" role allows to remotely approve pending certificate requests which can by used by an adversary to subvert the "CA certificate manager approval" protection:
OID Group Link Abuse (ESC13)
Audit
Misc
Parse .pfx
with PowerShell:
Tools
Certify
Search for vulnerable certificate templates:
Certipy
Get TGT automatically and list CAs, servers and search for vulnerable certificate templates (output in text, JSON and BloodHound formats):
certi
Get TGT:
List CAs and servers (short):
List CAs (verbose):
Search for vulnerable certificate templates:
PassTheCert
ADCSKiller
Last updated