Certified Pre-Owned

Overview

Whitepaper Certified Pre-Owned - Abusing Active Directory Certificate Services published by Will Schroeder and Lee Christensen from SpectorOps.

Certificate Theft

Technique ID

Description

THEFT1

Exporting certificates and their private keys using Window’s Crypto APIs

THEFT2

Extracting user certificates and private keys using DPAPI

THEFT3

Extracting machine certificates and private keys using DPAPI

THEFT4

Theft of existing certificates via file/directory triage

THEFT5

Using the Kerberos PKINIT protocol to retrieve an account’s NTLM hash

Privilege Escalation

Technique ID

Description

ESC1

Domain escalation via No Issuance Requirements + Enrollable Client Authentication/Smart Card Logon OID templates + CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT

ESC2

Domain escalation via No Issuance Requirements + Enrollable Any Purpose EKU or no EKU

ESC3

Domain escalation via No Issuance Requirements + Certificate Request Agent EKU + no enrollment agent restrictions

ESC4

Domain escalation via misconfigured certificate template access control

ESC5

Domain escalation via vulnerable PKI AD Object Access Control

ESC6

Domain escalation via the EDITF_ATTRIBUTESUBJECTALTNAME2 setting on CAs + No Manager Approval + Enrollable Client Authentication/Smart Card Logon OID templates

ESC7

Vulnerable Certificate Authority Access Control

ESC8

NTLM Relay to AD CS HTTP Endpoints

Persistence

Technique ID

Description

PERSIST1

Account persistence via requests for new authentication certificates for a user

PERSIST2

Account persistence via requests for new authentication certificates for a computer

PERSIST3

Account persistence via renewal of authentication certificates for a user/computer

DPERSIST1

Domain persistence via certificate forgery with stolen CA private keys

DPERSIST2

Domain persistence via certificate forgery from maliciously added root/intermediate/NTAuth CA certificates

DPERSIST3

Domain persistence via malicious misconfigurations that can later cause a domain escalation

Certificate Theft

A form of credential theft where attackers leverage the stolen user/machine certificates to authenticate to AD.

Malicious Certificate Enrollments

Certificate Template Misconfiguration

Certificate Forging

Tools

Tool ForgeCert.

Tools

A tool provides a wide range of audit and AD CS functionalities.

Labs

HackTheBox

Escape

Red Teaming Experiments

Reference

PreviousDCsync Attack NextManagement

Last updated 1 year ago

Overview

Certificate Theft

Technique ID

Description

THEFT1

Exporting certificates and their private keys using Window’s Crypto APIs

THEFT2

Extracting user certificates and private keys using DPAPI

THEFT3

Extracting machine certificates and private keys using DPAPI

THEFT4

Theft of existing certificates via file/directory triage

THEFT5

Using the Kerberos PKINIT protocol to retrieve an account’s NTLM hash

Privilege Escalation

Technique ID

Description

ESC1

Domain escalation via No Issuance Requirements + Enrollable Client Authentication/Smart Card Logon OID templates + CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT

ESC2

Domain escalation via No Issuance Requirements + Enrollable Any Purpose EKU or no EKU

ESC3

Domain escalation via No Issuance Requirements + Certificate Request Agent EKU + no enrollment agent restrictions

ESC4

Domain escalation via misconfigured certificate template access control

ESC5

Domain escalation via vulnerable PKI AD Object Access Control

ESC6

Domain escalation via the EDITF_ATTRIBUTESUBJECTALTNAME2 setting on CAs + No Manager Approval + Enrollable Client Authentication/Smart Card Logon OID templates

ESC7

Vulnerable Certificate Authority Access Control

ESC8

NTLM Relay to AD CS HTTP Endpoints

Persistence

Technique ID

Description

PERSIST1

Account persistence via requests for new authentication certificates for a user

PERSIST2

Account persistence via requests for new authentication certificates for a computer

PERSIST3

Account persistence via renewal of authentication certificates for a user/computer

DPERSIST1

Domain persistence via certificate forgery with stolen CA private keys

DPERSIST2

Domain persistence via certificate forgery from maliciously added root/intermediate/NTAuth CA certificates

DPERSIST3

Domain persistence via malicious misconfigurations that can later cause a domain escalation