Attack
Explore the intricacies of the Attack AD CS in this comprehensive article. Uncover the techniques, threats, and defense strategies against this cybersecurity concern.
Last updated
Was this helpful?
Explore the intricacies of the Attack AD CS in this comprehensive article. Uncover the techniques, threats, and defense strategies against this cybersecurity concern.
Last updated
Was this helpful?
Enumeration
Enumerate if AD CS is present in the target environment, available templates and misconfigurations.
CertPotato
Abuse virtual and network service accounts (authenticates as machine account in domain) to escalate privileges to local system
THEFT1
Exporting certificates and their private keys using Window’s Crypto APIs
THEFT2
Extracting User certificates and private keys using DPAPI
THEFT3
Extracting Computer certificates and private keys using DPAPI
THEFT4
Theft of existing certificates on disk
THEFT5
Using the Kerberos PKINIT protocol to retrieve a User/Computer account’s NTLM hash
PERSIST1
User account persistence using new certificate requests
PERSIST2
Computer account persistence using new certificate requests
PERSIST3
User/Computer Account persistence by certificate renewal before expiration
In Active Directory Certificate Services (AD CS), privilege escalation typically involves exploiting vulnerabilities or misconfigurations within the certificate authority (CA) structure or its deployment.
Techniques for escalation can range from intercepting and modifying certificate signing requests (ESCs 1-3) to leveraging flaws in CA security practices or protocols (ESCs 4-11), such as the notable Certifried vulnerability CVE-2022-26923.
This particular exploit allows attackers to gain higher privileges within the domain by crafting malicious certificate requests.
Understanding and mitigating these vulnerabilities is crucial for maintaining a secure AD CS environment.
ESC1
ESC2
ESC3
ESC4
ESC5
ESC6
ESC7
ESC8
ESC9
ESC10
ESC11
Certifried CVE-2022-26923
Domain persistence within Active Directory Certificate Services (AD CS) can be achieved through several methods involving the exploitation of certificate authority (CA) mechanisms.
Techniques include forging domain certificates by obtaining stolen CA Root certificates and private keys (DPERSIST1), or by leveraging stolen external Trusted Root certificates and private keys after adding them to the root or NTAuthCA certificates container (DPERSIST2).
Additionally, persistence can be secured by backdooring the CA server utilizing malicious misconfigurations, similar to those described in ESC4 (DPERSIST3).
These methods ensure sustained unauthorized access to the domain, enabling attackers to maintain a foothold within the environment without immediate detection.
DPERSIST1
Forge ANY domain certificate using stolen CA Root certificate and private keys
DPERSIST2
Forge ANY domain certificate using stolen external Trusted Root certificate and private keys (added root/ NTAuthCAcertificates container)
DPERSIST3
Backdoor CA server using malicious misconfigurations like ESC4 that can later cause a domain escalation
Trust abuse Enterprise CA and Azure AD Certificate Based Authentication
A compromised Certificate Authority trusted by an Azure AD tenant enables forging certificates and impersonating any user in the target tenant.
This results in privilege escalation to the tenant if the user has administrative roles assigned to the tenant and persistence as long as the certificate doesn’t expire.
