ADCS Certified Enterprise Security Professional
HomeAuthor
  • CESP Certification
  • 🔥RFS Methodology
    • Pwning
  • 1️⃣ Learn AD CS (Module 1)
    • Active Directory Certificate Services (AD CS)
    • 🟢AD CS Components
    • 🟢Certificate Formats
    • Certificate Attributes
    • Containers in AD
  • 2️⃣ AD CS Attacks (Module 2)
    • Attack
    • Prevention
    • Detection
  • 3️⃣ Basics of AD CS Attacks (Module 3)
    • Tools
    • AV Bypass
    • Payload Delivery
    • 🟢Bypass PowerShell Logging
    • WinRS
    • 🟢Certificate Management
    • 🟢Pass the Cert
    • 🟢UnPAC the Hash
    • 🟢S4U2Self Attack
  • 4️⃣ AD CS Patches (Module 4)
    • 🟢CBA patch
    • 🟢ADCS SID Extension Policy Module
  • 5️⃣ AD CS Enumeration (Module 5)
    • 🥰Methodology
    • Tools
    • 🟢CAs Info
    • Groups
    • Extract the Private Key
  • 6️⃣ AD CS Local Privilege Escalation (Module 6)
    • 🟢CertPotato
    • 🟢ESC1 – Understand the Arbitrary Subject Alternative Name Vulnerability
  • AD CS Domain Privilege Escalation
    • Page 3
  • AD CS Pivoting and Lateral Movement
    • Page 4
  • AD CS Theft and Collection
    • Page 5
  • AD CS Local and Domain Persistence
    • Page 6
  • Abusing Cross Forest and External Trusted CAs
    • Page 7
  • Abusing Azure CBA for Lateral Movement and Persistence on Cloud
    • Page 8
  • Evasion and Bypasses
    • Page 9
  • Group 1
    • Page 2
Powered by GitBook
On this page
  • Enumeration
  • Local Privilege Escalation
  • Theft and Collection
  • Local Persistence
  • Domain Privilege Escalation
  • Domain Persistence
  • Cloud Privilege Escalation and Persistence

Was this helpful?

  1. 2️⃣ AD CS Attacks (Module 2)

Attack

Explore the intricacies of the Attack AD CS in this comprehensive article. Uncover the techniques, threats, and defense strategies against this cybersecurity concern.

PreviousContainers in ADNextPrevention

Last updated 1 year ago

Was this helpful?

Enumeration

Technique ID
Description

Enumeration

Enumerate if AD CS is present in the target environment, available templates and misconfigurations.

Local Privilege Escalation

Offensive Technique ID
Description

CertPotato

Abuse virtual and network service accounts (authenticates as machine account in domain) to escalate privileges to local system

Theft and Collection

Technique ID
Description

THEFT1

Exporting certificates and their private keys using Window’s Crypto APIs

THEFT2

Extracting User certificates and private keys using DPAPI

THEFT3

Extracting Computer certificates and private keys using DPAPI

THEFT4

Theft of existing certificates on disk

THEFT5

Using the Kerberos PKINIT protocol to retrieve a User/Computer account’s NTLM hash

Local Persistence

Technique ID
Description

PERSIST1

User account persistence using new certificate requests

PERSIST2

Computer account persistence using new certificate requests

PERSIST3

User/Computer Account persistence by certificate renewal before expiration

Domain Privilege Escalation

In Active Directory Certificate Services (AD CS), privilege escalation typically involves exploiting vulnerabilities or misconfigurations within the certificate authority (CA) structure or its deployment.

Techniques for escalation can range from intercepting and modifying certificate signing requests (ESCs 1-3) to leveraging flaws in CA security practices or protocols (ESCs 4-11), such as the notable Certifried vulnerability CVE-2022-26923.

This particular exploit allows attackers to gain higher privileges within the domain by crafting malicious certificate requests.

Understanding and mitigating these vulnerabilities is crucial for maintaining a secure AD CS environment.

Technique ID
Description

ESC1

ESC2

ESC3

ESC4

ESC5

ESC6

ESC7

ESC8

ESC9

ESC10

ESC11

Certifried CVE-2022-26923

Domain Persistence

Domain persistence within Active Directory Certificate Services (AD CS) can be achieved through several methods involving the exploitation of certificate authority (CA) mechanisms.

Techniques include forging domain certificates by obtaining stolen CA Root certificates and private keys (DPERSIST1), or by leveraging stolen external Trusted Root certificates and private keys after adding them to the root or NTAuthCA certificates container (DPERSIST2).

Additionally, persistence can be secured by backdooring the CA server utilizing malicious misconfigurations, similar to those described in ESC4 (DPERSIST3).

These methods ensure sustained unauthorized access to the domain, enabling attackers to maintain a foothold within the environment without immediate detection.

Technique ID
Description

DPERSIST1

Forge ANY domain certificate using stolen CA Root certificate and private keys

DPERSIST2

Forge ANY domain certificate using stolen external Trusted Root certificate and private keys (added root/ NTAuthCAcertificates container)

DPERSIST3

Backdoor CA server using malicious misconfigurations like ESC4 that can later cause a domain escalation

Cloud Privilege Escalation and Persistence

Technique ID
Description

Trust abuse Enterprise CA and Azure AD Certificate Based Authentication

A compromised Certificate Authority trusted by an Azure AD tenant enables forging certificates and impersonating any user in the target tenant.

This results in privilege escalation to the tenant if the user has administrative roles assigned to the tenant and persistence as long as the certificate doesn’t expire.