Full Report
Abuse of Active Directory Certificate Services (AD CS) has become a staple of our internal network assessment methodology. In fact, I can’t recall an internal I’ve done in the past two or more years that didn’t feature ADCS abuse in some manner or another.
Analysis Summary
# Tool/Technique: Abuse of Active Directory Certificate Services (AD CS)
## Overview
The abuse of Active Directory Certificate Services (AD CS) is a prevalent set of techniques used during internal network assessments to rapidly gain high-privileged access within an Active Directory domain by exploiting misconfigurations related to certificate issuance and authentication. This process often culminates in gaining domain administrator context.
## Technical Details
- Type: Technique (Leveraging system misuse)
- Platform: Windows Active Directory Environments (Domain Controllers, CAs)
- Capabilities: Issuing unauthorized X.509 certificates, leveraging issued certificates for Kerberos authentication (PKINIT), and certificate-based impersonation (Pass-the-Cert).
- First Seen: Concept extensively documented over time, with modern tooling popularized around the time of the associated whitepapers (e.g., 2019 onwards).
## MITRE ATT&CK Mapping
- TA0005 - Privilege Escalation
- T1134 - Access Token Manipulation (Related to gaining higher privileges via impersonation)
- TA0006 - Credential Access
- T1558 - Steal or Forge Kerberos Tickets
- T1558.004 - Kerberos Tickets: PKINIT Authentication (Directly related to certificate-based ticket requests)
- TA0008 - Lateral Movement
- T1021 - Remote Services
- T1021.003 - Remote Desktop Protocol (Often the access gained post-compromise)
- TA0011 - Command and Control (If C2 traffic is authenticated via forged credentials)
## Functionality
### Core Capabilities
- **Certificate Request & Issuance:** Exploiting misconfigurations (e.g., vulnerable certificate templates) to compel the Certificate Authority (CA) to issue an X.509 certificate to an attacker-controlled identity.
- **PKINIT Authentication:** Using the issued certificate to request a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC) in Active Directory, often leading to Domain Administrator access.
- **Error Diagnosis:** Utilizing advanced debugging and understanding of the AD CS request sequence and PKINIT process to troubleshoot common errors like `KDC_ERR_INCONSISTENT_KEY_PURPOSE`, `KDC_ERROR_CLIENT_NOT_TRUSTED`, and `KDC_ERR_PADATA_TYPE_NOSUPP`.
### Advanced Features
- **Pass-the-Cert Attack:** Leveraging an obtained certificate directly against Domain Controllers' LDAPS service, often bypassing traditional PKINIT validation if the service only checks the Subject Alternative Name (SAN) against a valid domain account, provided the DC holds a Domain Controller or Domain Controller Authentication certificate (even if invalid).
- **Remote/Proxied Operations:** Ability to perform complex, multi-step certificate abuse operations across VPNs or SOCKS proxies.
## Indicators of Compromise
- File Hashes: N/A (Focus is on configuration and protocol abuse)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Connections to the CA server's '\pipe\cert' RPC endpoint. LDAP/LDAPS connections to Domain Controllers using certificate authentication.
- Behavioral Indicators: Unanticipated certificate issuance requests from low-privilege users; Kerberos TGT requests failing specifically with PKINIT errors.
## Associated Threat Actors
The techniques derived from AD CS abuse (like those detailed in associated whitepapers) are widely used by:
- Red Team Operators
- Internal Penetration Testers
- Advanced Persistent Threat (APT) groups leveraging established AD compromise methodologies.
## Detection Methods
- Signature-based detection: Specific application signatures for tools like Certify or certipy within the environment.
- Behavioral detection: Monitoring for unusual certificate request patterns aimed at high-privilege templates or certificate enrollment submissions over non-standard communication paths. Monitoring DC event logs for certificate validation failures related to PKINIT.
- YARA rules if available: N/A (Technique-focused, not malware-focused)
## Mitigation Strategies
- **Principle of Least Privilege:** Ensure only necessary accounts have permissions to request certificates on specific templates.
- **Secure Template Configuration:** Configure certificate templates strictly. Ensure that templates used for authentication are correctly configured regarding Enhanced Key Usage (EKU) settings and required protections.
- **Audit CA Security:** Ensure CAs do not issue certificates to unauthorized principals.
- **Monitor for PKINIT Errors:** Establish alerts for frequent `KDC_ERR_INCONSISTENT_KEY_PURPOSE` or `KDC_ERR_PADATA_TYPE_NOSUPP` messages, as these often indicate an active adversary attempting certificate abuse.
- **Domain Controller Certificate Management:** Ensure Domain Controllers have current, valid, and trusted Domain Controller or Domain Controller Authentication certificates to mitigate Pass-the-Cert against LDAPS.
## Related Tools/Techniques
- **Certify:** A widely used tool designed to automate the exploitation of flawed AD CS configurations.
- **certipy:** Another popular Python tool used for AD CS exploitation, focused on automating certificate abuses.
- **GhostPack/BloodHound:** Tools often used in tandem to identify vulnerable AD CS templates and certificate trust relationships.
- **SpecterOps Whitepapers/Research:** Foundational research that details the mechanics of AD CS compromise.
***
# Tool/Technique: Certify (Tool)
## Overview
Certify is a widely used command-line tool designed by GhostPack (and maintained subsequently) to automate the process of exploiting misconfigurations in Active Directory Certificate Services (AD CS) to gain credential access or escalate privileges, often to the level of Domain Administrator.
## Technical Details
- Type: Tool (Offensive utility for AD CS abuse)
- Platform: Windows (Attacker machine used against AD CS infrastructure)
- Capabilities: Automated certificate enrollment, CSR generation, template identification, and execution of privilege escalation attacks leveraging AD CS flaws.
- First Seen: Documentation suggests evolution alongside ongoing research into AD CS abuse (post-2019).
## MITRE ATT&CK Mapping
- TA0005 - Privilege Escalation
- T1134 - Access Token Manipulation
- TA0006 - Credential Access
- T1558.004 - Kerberos Tickets: PKINIT Authentication
## Functionality
### Core Capabilities
- Automating the steps required to generate a CSR based on a target certificate template.
- Interfacing with the CA via RPC endpoints (`\pipe\cert`).
- Attempting to obtain a certificate that can be used for Kerberos pre-authentication (PKINIT).
### Advanced Features
- Integration with other post-exploitation steps required for AD CS abuse campaigns.
- Providing specific error feedback related to AD CS enrollment stages.
## Indicators of Compromise
- File Hashes: N/A (Tool binary specific hashes would vary)
- File Names: Commonly `certify.exe`
- Registry Keys: N/A
- Network Indicators: Connections attempting certificate enrollment over RPC to CA servers.
- Behavioral Indicators: Execution associated with generating and submitting CSRs targeting specific AD CS infrastructure.
## Associated Threat Actors
- Red Team Operators
- Ethical Hackers
- Adversaries leveraging known AD enumeration and exploitation paths.
## Detection Methods
- Signature-based detection: Known hashes or strings associated with the tool binary.
- Behavioral detection: Monitoring for process execution that systematically interacts with certificate enrollment services in a suspicious manner.
## Mitigation Strategies
- Harden AD CS configuration thoroughly to prevent the exploitation path Certify relies on.
- Monitor for tool execution within the network, especially by non-standard administrative accounts.
## Related Tools/Techniques
- AD CS Abuse (Technique)
- certipy
- SpecterOps research
***
# Tool/Technique: Certipy (Tool)
## Overview
Certipy is an open-source Python tool designed to automate the identification and exploitation of misconfigured Active Directory Certificate Services (AD CS) components to achieve privilege escalation, often resulting in Domain Administrator context acquisition via certificate abuse.
## Technical Details
- Type: Tool (Offensive utility for AD CS abuse)
- Platform: Windows/Linux (Requires Python environment)
- Capabilities: Enumeration of certificate templates, generation of malicious CSRs, request authentication credentials using issued certificates.
- First Seen: Actively developed and improved upon since published research legitimizing AD CS attacks.
## MITRE ATT&CK Mapping
- TA0005 - Privilege Escalation
- T1134 - Access Token Manipulation
- TA0006 - Credential Access
- T1558.004 - Kerberos Tickets: PKINIT Authentication
## Functionality
### Core Capabilities
- Scanning the environment for certificate templates available for enrollment.
- Attempting to enroll for certificates using vulnerable templates.
- Utilizing resulting certificates for Kerberos credential requests (PKINIT).
### Advanced Features
- More descriptive error messaging compared to earlier tools, aiding in debugging complex remote attacks.
## Indicators of Compromise
- File Hashes: N/A (Tool binary specific hashes would vary)
- File Names: Commonly `certipy.exe` or `certipy.py`
- Registry Keys: N/A
- Network Indicators: Connections attempting certificate enrollment over RPC to CA servers.
- Behavioral Indicators: Python script execution involving network communication directed at domain certificate authorities.
## Associated Threat Actors
- Red Team Operators
- Internal Auditors
- Threat actors rapidly adopting AD exploitation TTPs.
## Detection Methods
- Signature-based detection: Known file names or specific code signatures if the script/binary is observed.
- Behavioral detection: Detection of the Python interpreter performing activities that mimic certificate enrollment and KDC interaction.
## Mitigation Strategies
- Implement strict access controls on certificate templates.
- Ensure CA servers are patched and properly configured to reject certificate requests lacking proper validation or appropriate EKUs.
## Related Tools/Techniques
- AD CS Abuse (Technique)
- Certify
- SpecterOps research