Attack
Explore the intricacies of the Attack AD CS in this comprehensive article. Uncover the techniques, threats, and defense strategies against this cybersecurity concern.
Last updated
Explore the intricacies of the Attack AD CS in this comprehensive article. Uncover the techniques, threats, and defense strategies against this cybersecurity concern.
Last updated
| Technique ID | Description |
|---|---|
Enumeration | Enumerate if AD CS is present in the target environment, available templates and misconfigurations. |
| Offensive Technique ID | Description |
|---|---|
CertPotato | Abuse virtual and network service accounts (authenticates as machine account in domain) to escalate privileges to local system |
| Technique ID | Description |
|---|---|
THEFT1 | Exporting certificates and their private keys using Windowβs Crypto APIs |
THEFT2 | Extracting User certificates and private keys using DPAPI |
THEFT3 | Extracting Computer certificates and private keys using DPAPI |
THEFT4 | Theft of existing certificates on disk |
THEFT5 | Using the Kerberos PKINIT protocol to retrieve a User/Computer accountβs NTLM hash |
| Technique ID | Description |
|---|---|
PERSIST1 | User account persistence using new certificate requests |
PERSIST2 | Computer account persistence using new certificate requests |
PERSIST3 | User/Computer Account persistence by certificate renewal before expiration |
In Active Directory Certificate Services (AD CS), privilege escalation typically involves exploiting vulnerabilities or misconfigurations within the certificate authority (CA) structure or its deployment.
Techniques for escalation can range from intercepting and modifying certificate signing requests (ESCs 1-3) to leveraging flaws in CA security practices or protocols (ESCs 4-11), such as the notable Certifried vulnerability CVE-2022-26923.
This particular exploit allows attackers to gain higher privileges within the domain by crafting malicious certificate requests.
Understanding and mitigating these vulnerabilities is crucial for maintaining a secure AD CS environment.
| Technique ID | Description |
|---|---|
ESC1 | |
ESC2 | |
ESC3 | |
ESC4 | |
ESC5 | |
ESC6 | |
ESC7 | |
ESC8 | |
ESC9 | |
ESC10 | |
ESC11 | |
Certifried CVE-2022-26923 |
Domain persistence within Active Directory Certificate Services (AD CS) can be achieved through several methods involving the exploitation of certificate authority (CA) mechanisms.
Techniques include forging domain certificates by obtaining stolen CA Root certificates and private keys (DPERSIST1), or by leveraging stolen external Trusted Root certificates and private keys after adding them to the root or NTAuthCA certificates container (DPERSIST2).
Additionally, persistence can be secured by backdooring the CA server utilizing malicious misconfigurations, similar to those described in ESC4 (DPERSIST3).
These methods ensure sustained unauthorized access to the domain, enabling attackers to maintain a foothold within the environment without immediate detection.
| Technique ID | Description |
|---|---|
DPERSIST1 | Forge ANY domain certificate using stolen CA Root certificate and private keys |
DPERSIST2 | Forge ANY domain certificate using stolen external Trusted Root certificate and private keys (added root/ NTAuthCAcertificates container) |
DPERSIST3 | Backdoor CA server using malicious misconfigurations like ESC4 that can later cause a domain escalation |
| Technique ID | Description |
|---|---|
Trust abuse Enterprise CA and Azure AD Certificate Based Authentication | A compromised Certificate Authority trusted by an Azure AD tenant enables forging certificates and impersonating any user in the target tenant. This results in privilege escalation to the tenant if the user has administrative roles assigned to the tenant and persistence as long as the certificate doesnβt expire. |
