search

Active Directory Certificate Services (ADCS)

Active Directory Certificate Services is Microsoft's PKI. Initially launched in 2000 as part of Windows, later on renamed and enhanced.

hashtag
What is a certificate?

In order to better understand certificates please check this post. Once you're caught up with what a certificate is. Let's get to the next point.

hashtag
What can a certificate do?

Certificates in Active Directory enable 4 distinct processes:

  • Certificate-based Authentication.

  • Secure (Encrypted) Protocol Communication.

  • Smart Card Authentication.

  • Signing Certificates (Code, E-mails, etc..).

hashtag
How are certificates working?

The main thing that attributes a certificate to an object is the Certificate SAN (Subject Alternative Name). If the SAN is set to X UPN, it will grant X access.

hashtag
ADCS Components

Primary components that are building ADCS are:

  • Certificate Authority (CA).

  • Web Enrollment Services.

  • Certificate Templates

  • Network Device Enrollment Services.

  • Responder Services.

  • Policy Definitions.

hashtag
From an Offensive Security Perspective

For security professionals, AD CS presents unique opportunities:

hashtag
1. Reconnaissance

  • Certificate templates exposed via LDAP queries

  • CA configurations accessible to authenticated users

  • Web endpoints for certificate enrollment often available

hashtag
2. Common Vulnerabilities

  • ESC1: Vulnerable template allowing SAN specification

  • ESC2: Template permits domain authentication with user-supplied subject

  • ESC3: Template allows enrollment by low-privileged users

  • ESC4: CA allows SAN in web enrollment requests

  • ESC6: Certificate templates with ENROLLEE_SUPPLIES_SUBJECT flag

  • ESC8: NTLM relay to AD CS HTTP endpoints

  • ESC9: Template with no security extension (as seen in "Certified")

  • ESC10: Misconfigured template ACLs enabling privilege escalation

hashtag
3. Attack Techniques

  • Certificate Theft: Stealing existing certificates from compromised hosts

  • Shadow Credentials: Technique to add certificate-based credentials

  • Certificate Request Forgery: Requesting certificates with elevated privileges

  • NTLM Relay to AD CS: Capturing and relaying authentication to certificate services

  • UPN Manipulation: Changing a user's UPN before requesting certificates

  • Persistence: Long-validity certificates provide stealthy persistence

PreviousKerberosNextActive Directory Overview

Last updated