Full Report
Misconfigurations in Active Directory Certificate Services (ADCS) can introduce critical vulnerabilities into an Enterprise Active Directory environment, such as paths of escalation from low privileged accounts to domain administrator. The post Abusing Active Directory Certificate Services (Part 2) appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: ESC4 (Certificate Template Vulnerability) using Certipy
## Overview
This summary details the Active Directory Certificate Services (ADCS) escalation technique known as ESC4, which exploits misconfigurations in certificate templates allowing low-privileged users to gain Domain Administrator privileges. The primary tool demonstrated for executing this attack is **Certipy**. ESC4 occurs when a certificate template is writable by non-administrator accounts, enabling them to modify template properties to facilitate certificate requests on behalf of high-privilege accounts.
## Technical Details
- Type: Technique / Tool (Certipy)
- Platform: Windows Active Directory Environment
- Capabilities:
* **Certipy**: Modifying certificate templates (`template` command), requesting malicious certificates (`req` command), and extracting credentials (`auth` command).
* **ESC4**: Exploiting permissions (`Write Owner Principals`, `Write Property Principals`) on certificate templates to introduce configurations that allow impersonation of high-privilege users (e.g., Domain Admins) via forged certificates.
- First Seen: The related ADCS abuse techniques (ESC series) have been known since at least 2021, notably detailed in SpecterOps research.
## MITRE ATT&CK Mapping
- **TA0004 - Privilege Escalation**
- T1136 - Create Account
- T1136.001 - Active Directory Object Privilege Abuse (Specific context for modifying templates)
- **TA0008 - Lateral Movement**
- T1078 - Valid Accounts
- T1078.003 - Local or Domain Accounts (Used after obtaining DA credentials/hash)
*(Note: While the primary goal is Privilege Escalation, the exploitation leverages object modification rights within AD, often detailed under privilege abuse/account manipulation tactics.)*
## Functionality
### Core Capabilities
1. **Template Identification and Modification**: A compromised user enumerates ADCS configurations and identifies a template (e.g., `ESC4Certificate_FOOBAR`) where the `Domain Users` group has `Write Owner Principals` or `Write Property Principals` permissions.
2. **Template Alteration**: Using `certipy template`, the attacker modifies the vulnerable template's properties to meet the conditions for targeted certificate issuance (e.g., setting `Client Authentication: True`, `Enabled: True`, `Enrollee Supplies Subject: True`, `Requires Management Approval: False`).
3. **Certificate Request**: The attacker requests a certificate using the modified template, often specifying the User Principal Name (`-upn`) or Security Identifier (`-sid`) of the high-privilege target (e.g., a Domain Admin).
### Advanced Features
1. **Credential Extraction**: After obtaining a forged certificate (PFX file), the `certipy auth` command is used to extract the credential hash and Kerberos ticket associated with the target high-privilege account, enabling full impersonation.
2. **Template Reversion**: The tool provides functionality to save the original template configuration (`-save-old`) and restore it upon attack completion, aiding in stealth and preventing immediate detection of the modification.
3. **SID Workaround**: The tool can handle post-patch environments by allowing the attacker to explicitly provide the target's SID if an initial UPN-based request yields an error, indicating security updates requiring precise SID mapping.
## Indicators of Compromise
- File Hashes: Not specified in the article description for the specific exploitation instance.
- File Names: `ESC4Certificate_FOOBAR.json` (for saved template configuration).
- Registry Keys: Not specified.
- Network Indicators:
* Command targeting a Domain Controller IP (`-dc-ip` argument). (IP examples were redacted, e.g., `10.10.1.100`)
* Target Certificate Authority address (e.g., `foobar-CA.foobar.com`).
- Behavioral Indicators:
* Creation or modification of an AD Certificate Template object by a non-service account.
* Certificate enrollment requests using templates configured for client authentication that allow subject name substitution.
* Execution of Certipy commands, specifically using `-template` with write actions, followed by `-req` targeting a high-value principal.
## Associated Threat Actors
The article does not explicitly name threat actors associated with this specific proof of concept, but these ADCS abuse techniques are widely known in penetration testing and advanced persistent threat (APT) communities.
## Detection Methods
- Signature-based detection: Signatures targeting the execution pattern of Certipy or specific command-line arguments related to template manipulation.
- Behavioral detection: Monitoring Active Directory audit logs (especially Directory Service logs) for programmatic modification of `pKIEnrollmentServicePolicy` permissions or changes to `CertificateTemplate` objects by standard domain users.
- YARA rules if available: Not provided.
## Mitigation Strategies
1. **Template Restriction**: Audit and disable all unnecessary certificate templates.
2. **Principle of Least Privilege**: Ensure security permissions on certificate templates are as restrictive as possible. Only grant necessary groups/users enrollment permissions. Crucially, only grant necessary groups the rights to modify template properties (Owner, WriteOwnerPrincipals, WritePropertyPrincipals, WriteDaclPrincipals).
3. **Issuance Requirements**: Modify the template Issuance Requirements to mandate manual approval for any issued certificate, even if enrollment is permitted.
4. **Patch Deployment**: Apply relevant Microsoft security patches addressing ADCS vulnerabilities (e.g., KB patch mentioned for SID mismatch issues).
## Related Tools/Techniques
- ESC1 (ADCS Enumeration/Exploitation)
- PKINITtools
- PyWhisker
- Certi
- Impacket (Can often be used for similar credential harvesting post-exploitation)
- Certify (Another tool for ADCS abuse)