Certificate Services (AD-CS)
Last updated
Was this helpful?
Last updated
Was this helpful?
AD CS is Microsoft’s PKI implementation that provides everything from encrypting file systems, to digital signatures, to user authentication (a large focus of our research), and more. While AD CS is not installed by default for Active Directory environments, from our experience in enterprise environments it is widely deployed, and the security ramifications of misconfigured certificate service instances are enormous. ()
In , and shared their research on AD CS and identified multiple theft, escalation and persistence vectors.
Credential theft (dubbed THEFT1 to THEFT5)
Account persistence (dubbed PERSIST1 to PERSIST3)
Domain escalation (dubbed ESC1 to ESC8)
based on
based on
related to
based on an NTLM relay vulnerability related to the
Domain persistence (dubbed DPERSIST1 to DPERSIST3)
by
by trusting rogue CA certificates
by
PKI (Public Key Infrastructure) — a system to manage certificates/public key encryption
AD CS (Active Directory Certificate Services) — Microsoft’s PKI implementation
CA (Certificate Authority) — PKI server that issues certificates
Enterprise CA — CA integrated with AD (as opposed to a standalone CA), offers certificate templates
Certificate Template — a collection of settings and policies that defines the contents of a certificate issued by an enterprise CA
CSR (Certificate Signing Request) — a message sent to a CA to request a signed certificate
EKU (Extended/Enhanced Key Usage) — one or more object identifiers (OIDs) that define how a certificate can be used
While AD CS offers attackers a wide range of exploitation and persistence scenarios, this set of services is not always installed, and when it is, it is a requirement to identify its different parts in the domain.
An initial indicator is the "Cert Publishers" built-in group whose members usually are the servers where AD CS is installed (i.e. PKI/CA).
From UNIX-like systems: rpc net group members "Cert Publishers" -U "DOMAIN"/"User"%"Password" -S "DomainController"
From Windows systems: net group "Cert Publishers" /domain
pKIEnrollmentService objectsAlternatively, information like the PKI's CA and DNS names can be gathered through LDAP.
The tool also supports multiple output types (text, json, stdout).
The different domain escalation scenarios are detailed in the following parts.
()
's module (Python) can be used to find PKI enrollment services in AD.
(Python) can be used to manually to the LDAP query.
With 's (Python), thanks to (), it is possible to gather information regarding ADCS like the name and host of the CA, the certificate templates enrollment rights for those allowing client authentication and not requiring manager approval, etc. With ntlmrelayx, these information can be gathered through a relayed LDAP session.
(Python) and (C#) can also identify the PKI enrollment services and potential attack paths.
From UNIX-like systems, the (Python) tool can be used to operate multiple attacks and enumeration operations.
Certipy also supports BloodHound. With the -old-bloodhound option, the data will be exported for the original version of . With the -bloodhound option, the data will be exported for the modified version of BloodHound, by Certipy's (default output when no flag is set).
From Windows systems, the (C#) tool can be used to operate multiple attacks and enumeration operations.
