Full Report
Start this blog series from the beginning here: PART 1 Misconfigurations in Active Directory Certificate Services (ADCS) can introduce critical vulnerabilities into an Enterprise environment. In this article, we will […] The post Abusing Active Directory Certificate Services (Part 4) appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: Certipy for ADCS Escalation (ESC2 & ESC3)
## Overview
This summary details the use of the **Certipy** tool to exploit misconfigurations within Active Directory Certificate Services (ADCS), specifically targeting privilege escalation techniques known as **ESC2** and **ESC3**. These techniques rely on overly permissive certificate enrollment rights or flawed Extended Key Usage (EKU) configurations on certificate templates.
## Technical Details
- Type: Tool / Technique
- Platform: Windows Active Directory Environment
- Capabilities: Enumerating ADCS configurations, low-privilege certificate enrollment, forging certificates on behalf of other users (including Domain Admins), and performing subsequent certificate signing attacks.
- First Seen: N/A (Focus is on exploitation techniques documented in related research, utilizing the tool Certipy).
## MITRE ATT&CK Mapping
This summary focuses on techniques related to credential access and privilege escalation using compromised credentials or misconfigurations:
- **TA0004 - Privilege Escalation**
- **T1136 - Create Account** (Related if new accounts are targeted or created indirectly)
- **T1558 - Steal or Forge Kerberos Tickets** (Relevant when possessing forged certificates allows for authentication)
- **TA0006 - Credential Access**
- **T1558.003 - Steal/Forge Kerberos Tickets: Azure Token** (While focused on AD, the principle of forging valid proof holds)
- **TA0001 - Initial Access** (Prerequisite: attacker already has a foothold/low-privilege account)
*(Note: Direct, specific technique mappings for ESC2/ESC3 are often found under the broader umbrella of AD attacks, like T1608 - Stage Capabilities or related to token impersonation/forging.)*
## Functionality
### Core Capabilities
1. **ADCS Enumeration:** Identifying certificate templates that meet the criteria for exploitation using `certipy find`.
2. **Certificate Request (Initial):** Requesting a certificate for a low-privilege user based on vulnerable template settings (e.g., `certipy-ad req -u <user> ...`).
3. **Certificate Request (On-Behalf-Of):** Using an already acquired PFX certificate (often obtained via ESC2) to request a new certificate for a high-privilege target (e.g., Domain Admin) using the `-on-behalf-of` flag.
### Advanced Features
- **ESC2 Exploitation:** Targeting templates configured with **Any Purpose EKU** or no EKU, where enrollment rights are permissive, and "Signatures Required" is 0. This allows the attacker to obtain a certificate they can use to sign subsequent certificates.
- **ESC3 Exploitation:** Targeting templates configured with the **Certificate Request Agent EKU**, allowing the enrollee to request a certificate specifically on behalf of another domain object.
## Indicators of Compromise
The primary IOCs relate to tool execution and abnormal ADCS activity rather than persistent files:
- File Hashes: N/A (Tool execution only)
- File Names: `bspears.pfx` (Example derived from successful certificate request for signing)
- Registry Keys: N/A
- Network Indicators: Communication directed toward the configured Domain Controller IP (`10.10.0.10` in example) and the Certificate Authority server (`dc01.foobar.com` in example).
- Behavioral Indicators:
* Certificate requests made by low-privilege accounts for templates they should not be able to use for escalation.
* Successful issuance of certificates signed by the low-privilege user's prior certificate (for ESC2).
* **Event ID 4886:** Request for certificate.
* **Event ID 4887:** Certificate issued.
* **Event ID 4768:** Request for Kerberos ticket (TGT) using the newly forged certificate.
## Associated Threat Actors
The article does not explicitly name threat actors currently utilizing this specific *Certipy* workflow, but ADCS abuse is a known technique leveraged by advanced persistent threats (APTs).
## Detection Methods
Detection relies heavily on monitoring the Certificate Authority logs and AD synchronization events:
- Signature-based detection: Poorly effective against custom tool execution unless signatures target specific commands or known endpoints.
- Behavioral detection: Monitoring for the specific command-line arguments or sequences used by Certipy.
- YARA rules: N/A (Tool execution)
- **Key Logs to Monitor:** Windows Security Event IDs 4886, 4887, and 4768, looking for sequences indicating a low-privilege user attempting to obtain an administrative identity certificate.
## Mitigation Strategies
- Prevention measures: Audit and restrict enrollment permissions on all certificate templates.
- Hardening recommendations:
* Ensure templates explicitly define necessary **Extended Key Usage (EKU)** descriptors. Avoid **Any Purpose**.
* Only enable **Certificate Request Agent EKU** on templates where administrative review/approval is mandatory (`Requires Management Approval: True`).
* Apply the principle of least privilege to enrollment rights on CAs and templates, requiring administrative authorization where necessary.
* Require manual administrative approval for certificate requests unless strictly necessary otherwise (`Signatures Required: > 0` or `Requires Management Approval: True`).
## Related Tools/Techniques
- PSPKAudit
- PKINITtools
- PyWhisker
- Certi
- Impacket
- Certify