Active Directory Certificate Services (ADCS) have never really been under security scrutiny until a few years ago (by C. Falta<\/a> and later Q&D Security<\/a>). We will therefore focus today on how similar techniques can be used to gain Domain Admins privileges.<\/p>\n Note: <\/strong>this article assumes that the reader has a correct understanding of Active Directory<\/a> and\/or PKI<\/a> operation; some sections may be skipped depending on the reader experience and level of expertise.<\/p>\n <\/p>\n This article will tackle Microsoft ADCS and its potential issues under the specific prism of an Active Directory pentest, but the conclusions will be applicable on a broader scope: red team assignments, ADCS hardening, etc.<\/p>\n <\/p>\n An Active Directory pentest is a type of assignment where the sponsor of the audit is asking the pentester to interact with the audit target\u2019s infrastructure to find ways of gaining control of Active Directory. The auditor usually performs this task under the two following approaches:<\/p>\n In our case, we will focus on the grey box approach, therefore considering a malicious party<\/strong> who already has the ability of interacting with the domain<\/strong> as a standard user with no specific rights. The goal of the pentester would be to find a way to leverage the current rights of the user on the domain to compromise high-privileged principals<\/strong>, frequently the members of the Domain Admins<\/strong> group.<\/span><\/p>\n <\/p>\n Historically, Windows has been built as a user-friendly operating system<\/strong>, which means that it will do its best to minimize the number of situations where a user must type its password<\/strong>. In terms of user experience, most users will only type their password to unlock their workstation. System administrators may have to type it another time when using the Remote Desktop Protocol (RDP), but they don\u2019t expect it to type it again when connected to the remote server and\/or interacting with domain resources.<\/p>\n Under the hood, it means that Windows offers Single-Sign-On<\/strong> (SSO) features, which allow the system to authenticate as the user to other systems or applications. This sleight of hand is performed by the lsass.exe process, which caches usable credentials for the user in memory. There are two types of credentials that can be cached:<\/p>\n The credentials are cached into the memory of the Various tools, such as Mimikatz<\/a> and Windows Password Recovery<\/a>, allow users with local administration rights to extract the aforementioned authenticators from the memory:<\/p>\n Mimikatz extracting authenticators from lsass.exe process memory<\/span><\/em><\/p>\n These authenticators in turn can be used to log in onto other workstations and servers, using techniques such as Pass-the-Hash<\/a> or Pass-the-Ticket<\/a>. The use of these techniques is included in what is called Lateral Movement<\/strong><\/span> and allows progressing from low-privileged assets to high-privileged ones.<\/p>\n <\/p>\n In a grey box approach, a pentester would usually be provided with a standard network access, a domain-joined workstation and a basic user account. Assuming local administration rights are somehow obtained, the pentester would then gather:<\/p>\n Using this newly found credential, the next objective is to try using them on the other assets in the domain. If this works, the operation can be repeated<\/strong>, each time gaining more and more foothold on the domain<\/strong>.<\/p>\n This progression is quite easily performed by hand in a lab domain a limited number of workstations and servers but cannot be humanly feasible in a real-life domain with hundreds of servers and thousands of users and workstations (without mentioning domain trusts, etc.). This is where graph theory comes into play, with the following equivalents:<\/p>\n With such a graph, one would quite easily find<\/strong> (if it exists), the shortest path from a basic user account to a high-privileged principal<\/strong> on the domain. The only remaining task would be to exploit it. A path from one principal to another is called a compromise path, and the set of compromise paths between two principals represent all the means at one\u2019s disposal to compromise the latter starting from the former:<\/p>\n Compromise paths between a user and a member of the Domain Admins group<\/span><\/em><\/p>\n <\/p>\n In order to build the domain compromise graph, a list of possible edge types has to be defined. Lateral movement using credential dumping is often central, but it is not the only way of compromising principals. The current list includes (but is not limited to):<\/p>\n Building domain compromise graphs is particularly difficult to perform by hand, especially on large domains. There exist tools that help building these graphs and adding edges to find compromise paths.<\/p>\n Although many tools exist (Tenable.ad, AD-Control-Paths, PingCastle), the most famous one is BloodHound, and it leverages most of known techniques used to compromise accounts:<\/p>\n Example graph generated by BloodHound<\/em><\/p>\n <\/p>\n Microsoft Active Directory Certificate Services<\/strong><\/span> (ADCS) is a role that can be given to servers who will act as Certification Authorities<\/strong><\/span> (CA) in the forest. It integrates naturally within the forest, which means that there are domain objects that represents the different actors involved in a PKI lifecycle, and Access Control Lists regulating the interactions between these actors:<\/p>\n <\/p>\n The ADCS server role is installed on every server that is to act as a CA. When installing the ADCS role, the administrator is presented with twochoices: first, either install a Standalone<\/strong> or an Enterprise <\/strong>CA<\/em>:<\/p>\n CA setup type choice<\/em><\/p>\n <\/p>\n Then, in the case of an enterprise CA, it can be positioned as a Root CA <\/strong>or Subordinate CA<\/strong>:<\/p>\n CA type choice<\/em><\/p>\n <\/p>\n This article will focus on the Enterprise Root CA, for which the configuration is split between two places:<\/p>\n <\/p>\n In Active Directory, the configuration is stored under the following location (Configuration partition, thus defined at forest-level):<\/p>\n The configuration can be viewed using the Global PKI configuration in Active Directory<\/em><\/p>\n <\/p>\n The CertificateTemplate<\/strong><\/span> container has one domain object of type Table of contents<\/h2>\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
<\/h2>\n
<\/a>Active Directory pentest: mission briefing<\/h1>\n
<\/a>Context and objectives<\/h2>\n
\n
<\/a>Elevating privileges in an AD environment<\/h2>\n
<\/a>From lateral movement …<\/h3>\n
\n
lsass.exe<\/code> process running with the System integrity level<\/a>. Either processes running as SYSTEM<\/code>, or processes with SeDebugPrivilege<\/code> enabled (which by default can only be enabled by local administrators) would be able to peek into lsass.exe<\/code> memory.<\/p>\n![\"\"](\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/06\/01.png\")
<\/figure>\n<\/a>… to compromise graphs<\/h3>\n
\n
\n
![\"\"](\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/06\/2021-06-09-13_28_44-Microsoft-ADCS-Abusing-PKI-to-get-the-keys-to-the-realm.docx-Compatibility-437x131.png\")
<\/figure>\n<\/a>Drafting the domain compromise graph<\/h3>\n
\n
![\"\"](\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/06\/03.png\")
<\/figure>\n<\/a>Deep dive into Microsoft ADCS<\/h1>\n
<\/a>What is ADCS?<\/h2>\n
\n
<\/a>How does ADCS operate?<\/h2>\n
![\"\"](\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/06\/04.png\")
<\/figure>\n![\"\"](\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/06\/05.png\")
<\/figure>\n\n
<\/a>Active Directory: Public Key Services<\/h3>\n
CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local<\/pre>\n
adsiedit.msc<\/code> component in the MMC:<\/p>\n![\"\"](\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/06\/06.png\")
<\/figure>\nCertificate templates<\/h4>\n
pKICertificateTemplate<\/code> for every template to be shared amongst the enterprise Certification Authorities. These templates define, through attributes <\/strong>configured on their domain object, a set of policies<\/strong> that mostly describe and constrain:<\/p>\n\n
certreq<\/code> binary)<\/li>\nKeyUsage<\/code> and ExtendedKeyUsages<\/code>)<\/li>\n![\"\"](\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/06\/09.png\")
<\/figure>\n