The AD-RTS Blueprint: Mastering Active Directory Certificate Services for Elite Red Teaming

Listen to this Post

Featured Image

Introduction:

Active Directory Certificate Services (AD CS) has emerged as a critical attack vector in modern corporate networks, moving beyond traditional Kerberos delegation attacks. The AD-RTS certification highlights advanced techniques for exploiting misconfigured certificate templates to gain unauthorized domain dominance, a method that often bypasses conventional defenses.

Learning Objectives:

  • Understand the core components of Active Directory Certificate Services and common security misconfigurations.
  • Learn to enumerate vulnerable certificate templates and request fraudulent certificates.
  • Master the process of forging Kerberos tickets from acquired certificates to achieve privilege escalation.

You Should Know:

1. Enumerating AD CS with Certify

The first step in an AD CS attack is discovering available certificate authorities and templates. Certify is a powerful C tool for this reconnaissance.

Command:

Certify.exe find /vulnerable

Step-by-step guide:

This command queries the Active Directory for certificate authorities and their associated templates, filtering for those with weak security settings. Execute it from a context with any domain user privileges. The `/vulnerable` flag specifically highlights templates that allow enrollment by the current user and have settings enabling privilege escalation, such as `ENROLLEE_SUPPLIES_SUBJECT` or overly permissive authentication rights. The output will list CA servers, template names, and the specific misconfigurations that make them exploitable.

2. Requesting a Certificate with CertReq

Once a vulnerable template is identified, you can request a certificate using the built-in Windows CertReq utility.

Command:

CertReq.exe -submit -config "CA-SERVER\CA-NAME" TEMPLATE-NAME request.req cert.cer

Step-by-step guide:

This command submits a certificate request to a specific Certificate Authority (CA). First, create a `request.req` file containing a Certificate Signing Request (CSR). The `-config` parameter specifies the target CA server and its name. If the template allows the enrollee to supply a subject alternative name (SAN), you can specify a high-privilege account like `administrator` in the CSR, which is the core of the exploit. A successful request returns a `cert.cer` file.

3. Converting Certificates to PFX Format with Rubeus

Acquired certificates often need to be converted into a format usable for authentication. Rubeus can handle this conversion and subsequent ticket forging.

Command:

Rubeus.exe asktgt /user:administrator /certificate:cert.cer /password:Pass123! /ptt

Step-by-step guide:

This Rubeus command performs multiple actions. It takes the `cert.cer` file, converts it to a PFX format (protected by the specified password, e.g., Pass123!), and uses it to request a Ticket-Granting-Ticket (TGT) for the `/user` (e.g., administrator). The `/ptt` (Pass-The-Ticket) flag is crucial as it injects the resulting Kerberos ticket directly into the current session, granting you the privileges of the forged account immediately.

4. Exploiting ESC1 with Manual OpenSSL Commands

Template ESC1 is vulnerable because it allows client authentication and lets the enrollee specify the SAN. Here’s how to craft the request manually.

Commands:

 Generate a private key
openssl genrsa -out user.key 2048
 Create a CSR, specifying the SAN as a domain admin
openssl req -new -key user.key -out user.req -subj "/CN=User" -addext "subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:[email protected]"
 Convert the CER to PFX after receiving it from the CA
openssl pkcs12 -export -in cert.cer -inkey user.key -out cert.pfx -passout pass:Pass123!

Step-by-step guide:

This process gives you full control over the certificate request. Using OpenSSL, you generate a new private key and create a CSR. The critical step is the `-addext` flag, which adds the SAN field, allowing you to impersonate the administrator. After submitting `user.req` to the CA and receiving cert.cer, you combine them into a PFX file with a password. This `cert.pfx` can then be used with Rubeus to obtain a TGT.

5. Enumerating with PowerShell and AD Module

For testers with the RSAT AD tools installed, PowerShell provides a native way to enumerate AD CS.

Command:

Get-ADObject -LDAPFilter "(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2)))" -SearchBase "CN=Configuration,DC=domain,DC=com" | Select-Object Name, msPKI-Certificate-Name-Flag, msPKI-Enrollment-Flag, msPKI-Private-Key-Flag, msPKI-Cert-Template-OID

Step-by-step guide:

This PowerShell command queries the Active Directory configuration partition for all certificate templates. The LDAP filter excludes disabled templates. The selected properties are key for analysis: `msPKI-Enrollment-Flag` indicates if client authentication is enabled, and `msPKI-Certificate-Name-Flag` shows if the subject can be supplied by the requester. Correlating these flags helps identify templates equivalent to ESC1 and ESC2.

6. Auditing with PSPKIAudit

PSPKIAudit is a PowerShell module designed to audit AD CS for known misconfigurations comprehensively.

Command:

Invoke-PKIAudit -DomainController DC01.domain.com -Caname DOMAIN-CA

Step-by-step guide:

This command runs a full audit of the PKI environment. It requires credentials for a domain user. The tool automatically enumerates all CAs and templates, checking them against a known list of security weaknesses (ESC1-ESC8). It produces a clear report detailing which vulnerabilities are present, the affected templates, and often provides a risk score, making it an efficient tool for both attackers and defenders to assess the security posture of AD CS.

7. Mitigation: Hardening Certificate Templates

The primary defense is to secure certificate templates. This is done through the `certtmpl.msc` console.

Step-by-step guide:

1. Open `certtmpl.msc` to view all templates.

2. Right-click a template and select Properties.

3. Navigate to the Security tab.

  1. Ensure that only authorized groups (e.g., a specific “Certificate Users” group) have the Enroll permission. Remove Enroll from “Authenticated Users” or “Domain Users.”
  2. On the Issuance Requirements tab, consider requiring manager approval for sensitive templates.
  3. On the Subject Name tab, ensure “Supply in the request” is disabled for high-value templates, forcing the subject to be built from AD information. Apply these changes to all templates that allow for client authentication.

What Undercode Say:

  • The Perimeter is Dead, the PKI is the New Castle Wall. AD CS, often overlooked in traditional security models, provides a direct path to domain compromise. Red teams must pivot their focus from pure Kerberos abuse to PKI exploitation, as it offers a stealthier and highly effective alternative.
  • Certificates are the New Kerberos Golden Tickets. A stolen certificate or the ability to request one with high privileges is equivalent to possessing a Golden Ticket. The persistence offered by a long-lived certificate that can be used to generate TGTs on-demand is a game-changer for attackers, demanding a paradigm shift in defensive monitoring and hardening strategies. The AD-RTS certification’s focus on this technique validates its critical importance in the current threat landscape, pushing offensive security professionals to master this subtle yet powerful art.

Prediction:

The exploitation of AD CS will become the dominant method for lateral movement and privilege escalation in mature Windows environments over the next 18-24 months. As organizations continue to harden against classic Kerberos-based attacks like Golden Ticket and Kerberoasting, threat actors will increasingly pivot to the less-monitored and often misconfigured PKI infrastructure. This will lead to a surge in incidents stemming from fraudulent certificate usage, forcing a massive industry-wide investment in PKI auditing, certificate lifecycle management, and EDR solutions capable of deep certificate inspection.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Andres Felipe – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky