Full Report
| Alyssa Snow In PART ONE and PART TWO of this blog series, we discussed common misconfigurations of Active Directory certificate templates. In this post, we will walk through exploitation […] The post Abusing Active Directory Certificate Services (Part 3) appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: Abusing Active Directory Certificate Services (ADCS) Web Enrollment for NTLM Relay (ESC8)
## Overview
This technique, specifically referred to as ESC8 in the context of ADCS abuse, leverages misconfigurations or specific settings on an Active Directory Certificate Authority (CA) server where Web Enrollment is enabled and configured to issue certificates. An attacker coerces a victim machine or user to authenticate to an attacker-controlled host, captures the NTLM credential material (hash), and relays it to the vulnerable CA's HTTP endpoint (`/certsrv/certfnsh.asp`) to fraudulently request a certificate on behalf of the victim. This certificate can then be used to impersonate or further authenticate as the victim, potentially to harvest their NTLM hash.
## Technical Details
- Type: Technique (Exploitation of ADCS Misconfiguration)
- Platform: Windows Active Directory Environment (targeting Certificate Authority and Domain Member machines)
- Capabilities: Certificate issuance via NTLM relay to the ADCS HTTP endpoint, leveraging existing template permissions.
- First Seen: Not specified, though related to ongoing ADCS exploitation research.
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1003 - OS Credential Dumping (Indirectly, by using the relayed credentials to obtain further hashes)
- TA0008 - Lateral Movement
- T1558 - Steal or Forge Kerberos Tickets
- T1558.003 - NTLM Relaying
- TA0010 - Exfiltration (If the final goal is to gain access/data)
## Functionality
### Core Capabilities
- **Certificate Enumeration:** Using tools like **Certipy** (`certipy find -enabled`) to identify accessible and enabled certificate templates.
- **Vulnerability Identification (ESC8):** Identifying CAs where Web Enrollment is enabled and the Certificate Request Disposition is set to "Issue."
- **NTLM Relay:** Capturing NTLM hashes from coerced authentications and immediately relaying them to the ADCS HTTP endpoint.
### Advanced Features
- **Targeted Certificate Request:** Specifying the exact certificate template (e.g., 'DomainComputers') that the victim account/machine has permission to enroll for, ensuring the relay succeeds.
- **Coercion:** Utilizing external tools (like **Coercer**, **ADCSPwn**, or **PetitPotam**) to exploit vulnerabilities (like unpatched CVE-2021-36942 via LSARPC OpenEncryptedFileRaw) to force machine accounts to authenticate to the attacker's host.
## Indicators of Compromise
- File Hashes: [N/A - Tool-specific, see associated tools below]
- File Names: [N/A - Focus is on network activity and process behavior]
- Registry Keys: [Not specified]
- Network Indicators:
- ADCS HTTP Endpoint (defanged): `http://<CA_HOSTNAME>/certsrv/certfnsh.asp`
- Network traffic indicating NTLM authentication directed to the ADCS endpoint from an attacker relay host.
- Behavioral Indicators:
- Execution of enumeration tools like `certipy find`.
- Execution of coercion tools like `coercer coerce`.
- Relay tools (**Certipy relay** or **ntlmrelayx.py**) sending NTLM negotiation/authentication messages to the CA on behalf of a third party.
## Associated Threat Actors
- Not explicitly named in the context of using ESC8 specifically, but this technique is part of common post-exploitation techniques used by various sophisticated threat actors targeting Windows environments.
## Detection Methods
- Signature-based detection: [Not specified for the technique itself]
- Behavioral detection: Monitoring for anomalous NTLM relay attempts directed at the ADCS Web Enrollment endpoint, especially from compromised internal hosts attempting to authenticate as another entity.
- YARA rules: [Not specified]
## Mitigation Strategies
- **Disable Web Enrollment:** If not strictly required, disable HTTP-based certificate interfaces on CAs.
- **Patching:** Ensure systems are patched against known coercion vulnerabilities (e.g., CVE-2021-36942) to prevent forced authentication via RPC interfaces like LSARPC (MS-EFSRPC).
- **Restrict NTLM/SMB Relay:** Implement network controls or configurations (like signing/encryption requirements) that block NTLM relay opportunities on the network segment or target hosts.
- **Certificate Template Auditing:** Regularly review and restrict permissions on certificate templates, ensuring only necessary principals can enroll, and disabling templates where Request Disposition is set to "Issue" unless strictly necessary.
## Related Tools/Techniques
- **Certipy:** Tool used for ADCS enumeration and relay execution.
- **Impacket (ntlmrelayx.py):** Alternative tool for performing the NTLM relay to the ADCS endpoint.
- **Coercer, ADCSPwn, PetitPotam:** Tools used for coercing victim authentication via RPC/LSARPC.
- **CVE-2021-36942:** Vulnerability sometimes abused to initiate the initial machine authentication needed for the relay.