Active Directory Certificate Services (AD CS) is a crucial component of many organizations' security infrastructure, responsible for public key infrastructure (PKI) and managing digital certificates. Despite its importance, AD CS can also be a target for various security threats. This blog post delves into common vulnerabilities in AD CS, explains how these can be exploited, and outlines effective remediation strategies to protect your systems.
TL;DR Here's How to Check and Fix:
Secure your HTTP endpoints (mitigates KrbRelayUp/PetitPotam/others)
Remove all AD CS HTTP endpoints (Best option)
If above not possible:
Enforce HTTPS and Enabled Protection for Authentication (EPA)
Also helps:
Disable NTLM auth on IIS and on your AD CS servers
Disable NTLM auth on your AD CS servers
PowerShell scripts to discover overly-permissive AD objects ACLs
Demo - ESC4 - When a user has write privileges over a certificate template. This can for instance be abused to overwrite the configuration of the certificate template to make the template vulnerable to ESC1.
Shows ESC4 to ESC1 only this time using machine account
PreReq - Control over a Domain User account.
Templates only allow Domain Computers To Enroll (Think Machine Certificates for 802.1x)
Default Policy Allows Domain Users To Create 10 Machine accounts. So lets Create one called regusersPC.
Repeat Escalation 1.
Template TestUser allows:
"Enroller Supplies Subject"
"Enrollment Rights to Domain Computers"
Request certificate under the context of reguserPC (user with only Domain Computers Privilege) with an SPN for Domain Administrator "[email protected]".
Take supplied Certificate (administrator_dc.pfx) and request a TGT and then the NTLM hash.
Profit DCSync, etc.
Demo - (Certifried CVE-2022-26923) Abuses Active Directory Certificate Services (AD CS) to request machine certificates with arbitrary attacker-controlled DNS host names. Was patched as part of Microsoft's May 2022 security updates:
Create a machine account (testmachine) using a domain user account.
Certipy creates the machine account and under the dnsHostname field lists the domain controllers hostname with domain.
Request a certificate using the Default Machine template
Requesting a certificate using the testmachine account with the modified dnsHostName causes the CA to provide a Certificate for the dc (dc01.bysurvey.com).
Take supplied Certificate dc01.pfx and request a TGT and then the NTLM hash.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok