Certified Pre-Owned

Overview

Whitepaper Certified Pre-Owned - Abusing Active Directory Certificate Services published by Will Schroeder and Lee Christensen from SpectorOps.

Certificate Theft

Technique ID	Description
THEFT1	Exporting certificates and their private keys using Window’s Crypto APIs
THEFT2	Extracting user certificates and private keys using DPAPI
THEFT3	Extracting machine certificates and private keys using DPAPI
THEFT4	Theft of existing certificates via file/directory triage
THEFT5	Using the Kerberos PKINIT protocol to retrieve an account’s NTLM hash

Technique ID

Description

THEFT1

Exporting certificates and their private keys using Window’s Crypto APIs

THEFT2

Extracting user certificates and private keys using DPAPI

THEFT3

Extracting machine certificates and private keys using DPAPI

THEFT4

Theft of existing certificates via file/directory triage

THEFT5

Using the Kerberos PKINIT protocol to retrieve an account’s NTLM hash

Privilege Escalation

Technique ID	Description
ESC1	Domain escalation via No Issuance Requirements + Enrollable Client Authentication/Smart Card Logon OID templates + CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
ESC2	Domain escalation via No Issuance Requirements + Enrollable Any Purpose EKU or no EKU
ESC3	Domain escalation via No Issuance Requirements + Certificate Request Agent EKU + no enrollment agent restrictions
ESC4	Domain escalation via misconfigured certificate template access control
ESC5	Domain escalation via vulnerable PKI AD Object Access Control
ESC6	Domain escalation via the EDITF_ATTRIBUTESUBJECTALTNAME2 setting on CAs + No Manager Approval + Enrollable Client Authentication/Smart Card Logon OID templates
ESC7	Vulnerable Certificate Authority Access Control
ESC8	NTLM Relay to AD CS HTTP Endpoints

Technique ID

Description

ESC1

Domain escalation via No Issuance Requirements + Enrollable Client Authentication/Smart Card Logon OID templates + CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT

ESC2

Domain escalation via No Issuance Requirements + Enrollable Any Purpose EKU or no EKU

ESC3

Domain escalation via No Issuance Requirements + Certificate Request Agent EKU + no enrollment agent restrictions

ESC4

Domain escalation via misconfigured certificate template access control

ESC5

Domain escalation via vulnerable PKI AD Object Access Control

ESC6

Domain escalation via the EDITF_ATTRIBUTESUBJECTALTNAME2 setting on CAs + No Manager Approval + Enrollable Client Authentication/Smart Card Logon OID templates

ESC7

Vulnerable Certificate Authority Access Control

ESC8

NTLM Relay to AD CS HTTP Endpoints

Persistence

Technique ID	Description
PERSIST1	Account persistence via requests for new authentication certificates for a user
PERSIST2	Account persistence via requests for new authentication certificates for a computer
PERSIST3	Account persistence via renewal of authentication certificates for a user/computer
DPERSIST1	Domain persistence via certificate forgery with stolen CA private keys
DPERSIST2	Domain persistence via certificate forgery from maliciously added root/intermediate/NTAuth CA certificates
DPERSIST3	Domain persistence via malicious misconfigurations that can later cause a domain escalation

Technique ID

Description

PERSIST1

Account persistence via requests for new authentication certificates for a user

PERSIST2

Account persistence via requests for new authentication certificates for a computer

PERSIST3

Account persistence via renewal of authentication certificates for a user/computer

DPERSIST1

Domain persistence via certificate forgery with stolen CA private keys

DPERSIST2

Domain persistence via certificate forgery from maliciously added root/intermediate/NTAuth CA certificates

DPERSIST3

Domain persistence via malicious misconfigurations that can later cause a domain escalation

Certificate Theft

A form of credential theft where attackers leverage the stolen user/machine certificates to authenticate to AD.

Malicious Certificate Enrollments

Certificate Template Misconfiguration

Certificate Forging

Tools

Tool ForgeCert.

Tools

A tool provides a wide range of audit and AD CS functionalities.

Labs

HackTheBox

Escape

Red Teaming Experiments

From Misconfigured Certificate Template to Domain AdminRed Teaming Experiments

Reference

PreviousDCsync Attack NextManagement

Last updated 1 year ago