Active Directory Certificate Services (AD CS) are a key element of encryption services on Windows domains. They enable file, email and network traffic encryption capabilities and provide organizations with the ability to build a public key infrastructure (PKI) to support digital signatures and certificates. Unfortunately as much as AD CS is designed to improve security, they’re all too easy to circumnavigate, resulting in vulnerabilities that cyber criminals easily exploit.
A SpectreOps research report released in April 2021, identified that this could take place through 8 common misconfigurations, leading to privilege escalation on an active domain. Abuse of privileges was another common path. Further research resulted in a CVE (CVE-2022-26923 by Certifried) which highlighted how an affected default template created by Microsoft could lead to elevation. As this is a relatively new attack surface, research is still ongoing.
To date, three main categories have been identified as common paths of attack.
The first of these is misconfigured templates which then become exploitable. A misconfigured template can create a direct path for privilege elevation due to insecure settings. Through user or group membership it may also be possible to escalate privileges which would be viewed as abuse of privileges. Changes made to a default template could also result in it being less secure.
The second common category of attack relations to web enrolment and attack chains. Most often these are implemented using NTML relays which enables attackers to be positioned between clients and servers to relay authentication requests. Once these requests are validated it provides attackers access network services. An attack method that highlighted this vulnerability was PetitPotam that results in the server believing the attacker is a legitimate and authenticated user because they’ve been able to hijack the certification process.
A third way attackers gain access to a server is through exploitable default templates. An example of this is Certifried CVE-2022-26923, which led to further research into a template that was inherently vulnerable. In this case it’s possible for domain computers to enrol a machine template. Domain users can create a domain computer and any domain user can then elevate privileges.
Misconfiguration usually relates to SSL certificates valid for more than one host, system or domain. This happens when a template allows an enrolee to supply a Subject Alternate Name (SAN) for any machine or user. Therefore, if you see a SAN warning pop up, think twice before enabling it. If certificates are also being used for authentication it can create a vulnerability that gives an attacker validated access to multiple systems or domains.
Often the first steps to remediation are to make a careful review of privileges and settings. For example: to reduce the risk of attacks through web enrolment, it’s possible to turn web enrolment off entirely. If you do still need web enrolment, it’s possible to enable Extended Protection for Authentication (EPA) on web enrolment. This would then block NTLM relay attacks on Integrated Windows Authentication (IWA). As part of this process be sure to disable HTTP on Web Enrolment and to instead use an IIS feature that uses HTTPS (TLS).
For Coercion Vulnerabilities it’s best to install available patches. As these threats evolve, new patches will come available so it’s important to keep up to date.
Certificate Attacks use an entirely different attack vector and are often a result of an administrator error. This means that vulnerabilities are created when default templates are changed. Sometimes administrators are simply not aware of the security risks associated with the changes that they make. But often it’s a mistake made during testing deployment, or when a custom template is left enabled and forgotten during testing.
In an Escalation 4 (ESC4) type of attack, write privileges are obtained. These privileges are then exploited to create vulnerabilities in templates. Some of the ways that this is done is by disabling manager approvals or increasing the validity of a certificate. It can even lead to persistent elevated access even after a manager changes their password. If this found to be the case during an Incident Response the remediation is to revoke the certificate entirely. Other forms of remediation are to conduct a security audit and to implement the principle of least privilege. It’ common for and AD CS administrator to have write privileges but not others. It’s possible they may have been activated during testing and then not removed, but any other user or group that has write privileges should be fully investigated.
As attack methods continue to evolve so will the means to investigate and remediate for them. Becoming more familiar with how to secure PKI and what common vulnerabilities are exploited can help you know what to look out for when setting up and maintaining user privileges.