Active Directory Certificate Abuse

TLDR

This Certificate Service misconfiguration Canary is considered critical as it requires no special privledge to exploit and results in compromise of the domain with one RPC/HTTP request. This misconfiguration is commonly used by criminal actors deploying ransomware.

Technical Details

Active Directory Certificate Services issues x.509 certificates for Active Directory environments that can be used for both server and client authentication. This is the same style of certificate that is used for web server SSL/TLS connections.

These certificates can be used for user authentication against Domain Controllers.

Templates are used to standardize on the Certificate format, and these templates can be, and are often misconfigured to allow for multiple exploitation scenarios.

The most common exploit scenario is that a Template is marked as usable for "Client Authentication,"  the requestor can submit a "Subject Alternate Name" in the request, and the template is enroll-able by a large user population such as "Authenticated Users," "Domain Users," or "Domain Computers," meaning any user or computer in the environment.

By submitting a request with a "Subject Alternate Name" of a privileged account such as a Domain Administrator, the Certificate Authority will issue an signed and valid certificate for that Domain Admin account to anyone who is authorized for enrollment.

This certificate can then be used to authenticate against the Domain as that user, yielding a valid Kerberos Ticket Granting Ticket as that user. This takes a single HTTP or RPC request against the Active Directory Certificate Services Certificate Authority.

How bad is it?

No enhanced rights or privileges are required to view the configuration necessary to infer vulnerability. No enhanced rights or privileges are required to exploit this vulnerability.

How does Reveald identify this issue?

Reveald finds this vulnerability by querying the Active Directory LDAP instance to view ADCS Templates, their configuration, and who is allowed to request a certificate using those templates.The impact of this is CRITICAL, and is a single HTTP or RPC request away from total AD Domain compromise. Ransomware crews loving using this because it is low effort, high reward, and an instant path to DA.

How does this need to be fixed?

Remediation requires reviewing Templates identified as vulnerable and determining which vulnerable condition to remove:

1. Should a requestor be able to specify a Subject Alternate Name on a Template?
2. Should the Certificate Use specify a use for Client Authentication?
3. Should the Template be enrollable by a large number of users?

External Links

• https://www.blackhillsinfosec.com/abusing-active-directory-certificate-services-part-one/
• https://www.crowdstrike.com/resources/white-papers/investigating-active-directory-certificate-services-abuse-esc1/
• https://www.riskinsight-wavestone.com/en/2021/06/microsoft-adcs-abusing-pki-in-active-directory-environment/
• https://redfoxsec.com/blog/exploiting-active-directory-certificate-services-ad-cs/
• https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
• https://posts.specterops.io/certified-pre-owned-d95910965cd2
• https://github.com/GhostPack/PSPKIAudit
• https://github.com/GhostPack/Certify
• https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf
• https://bamcisnetworks.wordpress.com/2015/11/18/certutil-powershell-export-import-pfx/
• https://www.thehacker.recipes/ad/movement/ad-cs
• https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-defender-for-identity-now-detects-suspicious/ba-p/3743335
• https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429