Listen to this Post
Introduction
Active Directory Certificate Services (ADCS) is a critical component of Windows environments, but misconfigurations can lead to severe security risks. Attackers often exploit vulnerabilities like ESC1-ESC4 and ESC15 using native tools such as certutil, certreq, and the Certificate MMC. This article explores these techniques, including leveraging client authentication certificates for lateral movement via WinRM.
Learning Objectives
- Understand common ADCS vulnerabilities (ESC1-ESC4, ESC15).
- Learn how to abuse `certutil` and `certreq` for certificate theft.
- Use native Windows APIs for post-exploitation lateral movement.
You Should Know
1. Enumerating ADCS Misconfigurations with Certipy
Command:
certipy find -u user@domain -p password -dc-ip <DC_IP>
Step-by-Step Guide:
- Run the command to identify vulnerable certificate templates.
2. Check for overly permissive settings (e.g., `ENROLLEE_SUPPLIES_SUBJECT`).
- Use the output to plan exploitation (e.g., ESC1 allows SAN spoofing).
2. Requesting a Malicious Certificate with Certreq
Command:
certreq -submit -config <CA_SERVER>\<CA_NAME> .\malicious_request.inf
Step-by-Step Guide:
- Craft a `.inf` file with a spoofed Subject Alternative Name (SAN).
2. Submit the request to the vulnerable CA.
3. Retrieve the issued certificate for impersonation.
3. Exporting Certificates with Certutil
Command:
certutil -exportPFX -p <PASSWORD> My <OUTPUT.pfx>
Step-by-Step Guide:
- Locate the stolen certificate in the user’s store.
- Export it to a PFX file for later use.
- Use the PFX with tools like Rubeus for Kerberos attacks.
4. Authenticating via WinRM Using Certificates
Command:
$cred = Get-Credential -Message "Select cert"; Enter-PSSession -ComputerName <TARGET> -Credential $cred
Step-by-Step Guide:
- Load the stolen certificate into the Personal store.
2. Use `Get-Credential` to select it interactively.
- Pass the credential to `Enter-PSSession` for lateral movement.
5. Mitigating ESC1-ESC4 Vulnerabilities
Command (GPO):
Set-CertificateTemplatePermission -Template <VULN_TEMPLATE> -Deny Enroll -Group "Authenticated Users"
Step-by-Step Guide:
1. Restrict enrollment permissions on vulnerable templates.
2. Disable SAN modifications for non-administrators.
3. Monitor CA logs for suspicious enrollment attempts.
What Undercode Say
- Key Takeaway 1: ADCS exploits often require no custom tools, making them stealthy and hard to detect.
- Key Takeaway 2: Native APIs like `Get-Credential` can weaponize stolen certificates without triggering EDR.
Analysis:
ADCS vulnerabilities are pervasive in enterprise networks due to complex configurations. Red teams leverage “living off the land” tactics to blend in, while defenders must audit certificate templates and enforce least-privilege principles. Future attacks may target cloud-integrated CAs, expanding the attack surface. Proactive hardening and certificate transparency logs are critical to mitigating risks.
Prediction
As ADCS adoption grows in hybrid environments, exploitation techniques will evolve to target cloud-based PKI services. Automated tools like Certipy will integrate deeper with offensive frameworks, while defenders will rely on AI-driven anomaly detection to flag malicious enrollments.
References
- ADCS Exploitation Part 3: Living Off The Land
- Practice ADCS Exploitation Lab
https://youtube.com/playlist?list=PLUMEY7cBcvDP19HB3qoBO6uTp-wxDFbFX
IT/Security Reporter URL:
Reported By: Giulio Pierantoni – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
