Full Report
The goal of this blog post is to present a privilege escalation I found while working on ADCS. We will see how it is possible to elevate our privileges to NT AUTHORITY\SYSTEM from virtual and network service accounts of a domain-joined machine (for example from a webshell on a Windows server) using ADCS. I want to call this attack chain “CertPotato” as homage to other *Potato tools and as a way to better remember it.
Analysis Summary
# Tool/Technique: CertPotato (Privilege Escalation Chain)
## Overview
CertPotato is a named attack chain designed to achieve privilege escalation to `NT AUTHORITY\SYSTEM` from low-privileged, domain-joined service accounts (such as `NT AUTHORITY\NetworkService` or Virtual Accounts like those used by IIS) utilizing flaws or misconfigurations within Active Directory Certificate Services (ADCS). It presents an alternative to the "Delegate 2 Thyself" technique involving RBCD.
## Technical Details
- Type: Technique/Attack Chain (Leveraging ADCS vulnerabilities/misconfigurations)
- Platform: Windows (Requires a domain-joined machine with ADCS infrastructure present)
- Capabilities: Elevate privileges from a virtual or network service account context to `NT AUTHORITY\SYSTEM` locally.
- First Seen: November 2022
## MITRE ATT&CK Mapping
- TA0004 - Privilege Escalation
- T1068 - Exploitation for Privilege Escalation (General mapping, specific technique highly depends on the exact ADCS misuse, often involving Kerberos/Certificate Abuse)
- TA0008 - Lateral Movement (Implied usage of compromised credentials/tickets)
- T1558 - Steal or Forge Kerberos Tickets
- T1558.004 - Kerberoasting (Similar concepts apply to exploiting trust relationships)
*(Note: The specific ADCS mechanism leveraged is not fully detailed but involves abusing certificate template rights, certificate requests, and PKINIT authentication or TGT delegation trickery.)*
## Functionality
### Core Capabilities
- Exploits misconfigurations within the Active Directory Certificate Services (ADCS) infrastructure.
- Achieves privilege escalation to `NT AUTHORITY\SYSTEM` on the compromised host.
- Targets systems running as service accounts (`NetworkService`, Virtual Accounts) originating from compromised endpoints (e.g., via a webshell).
- Leverages properties of obtained certificates, specifically Extended Key Usages (EKU) compatible with PKINIT authentication (e.g., Client Authentication, PKINIT Client Authentication).
### Advanced Features
- Potentially utilizes or is analogous to the "Delegate 2 Thyself" technique structure but achieves the outcome via ADCS interaction rather than direct RBCD exploitation pathways.
- Involves Kerberos asymmetric authentication (PKINIT) which requires specific certificate EKUs.
## Indicators of Compromise
- File Hashes: N/A (This is a conceptual attack chain, not a specific piece of malware; tools like Rubeus or Certipy might be used in execution.)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- Interaction with the Certification Authority (CA) server IP/Hostname.
- Generation of Kerberos events (e.g., Event ID 4768 on the DC for TGT requests/delegation).
- Behavioral Indicators:
- Certificate requests made by the compromised service account to the CA.
- Successful PKINIT authentication attempts against domain controllers or other Kerberos targets, indicated by specific Kerberos activity.
- Windows Events on the CA server (e.g., 4886, 4887) related to certificate issuance or template usage.
## Associated Threat Actors
- The summary does not explicitly link CertPotato to known threat actors, as it describes a novel technique/chain discovered during research.
## Detection Methods
- Signature-based detection: Not applicable for a conceptual technique chain unless specific, identifiable custom tooling is used.
- Behavioral detection:
- Monitoring for unusual certificate requests originating from service accounts that typically do not request or use certificates for cryptographic purposes.
- Monitoring for Event ID 4768 (Kerberos Ticket Granting Ticket request) logs showing requests authenticated via certificate (PKINIT) by low-privileged accounts.
- Monitoring CA server logs (4886/4887) for template usage that implies privilege escalation attempts.
- YARA rules: N/A
## Mitigation Strategies
- **Fix Initial Access Vulnerability:** Patch/fix the vulnerability allowing code execution (e.g., webshell deployment) as a service account.
- **Use Managed Service Accounts:** Transition service accounts to Group Managed Service Accounts (gMSA) or Standalone Managed Service Accounts (sMSA). Since these are domain accounts, compromise requires domain credentials/TGTs, potentially raising the bar compared to compromised local virtual accounts.
- **Restrict ADCS Permissions:** Ensure that certificate templates do not grant excessive permissions like the ability to request certificates usable for Client/PKINIT Authentication unless strictly necessary and tied to appropriate principals.
- **Restrict Service Account Privileges:** Ensure service accounts (especially virtual accounts) have highly restrictive permissions on the local machine and within the domain to limit pivot potential if compromised.
## Related Tools/Techniques
- Delegate 2 Thyself (Technique using RBCD for similar privilege escalation goal).
- Rubeus (Tool often used in Kerberos abuse, including TGT delegation tricks).
- Certipy (Tool mentioned as related context for ADCS interaction).
- Certify (Tool mentioned as related context for ADCS interaction).
- PKINITtools (Tools for interacting with PKINIT).