Source: Medium
Author: Giulio Pierantoni
URL: https://medium.com/@offsecdeer/adcs-exploitation-part-3-living-off-the-land-9c6494d6a84e
ONE SENTENCE SUMMARY: The article outlines techniques for exploiting Active Directory Certificate Services (ADCS) using native Windows tools certutil and certreq.
MAIN POINTS:
- ADCS exploitation can be performed using built-in Windows tools certutil and certreq.
- Enumeration of enterprise CAs involves commands like certutil -TCAInfo and certutil -dump.
- Validation of CA certificates and trust hierarchy is critical before exploitation.
- Certificate templates can be analyzed using certutil -dsTemplate and certutil -Template.
- ESC1 exploits involve generating a CSR with user-supplied SAN through policy files.
- ESC2 and ESC3 exploits require Enrollment Agent certificates and EOBO (Enroll-On-Behalf-Of) CSRs.
- ESC15 vulnerabilities allow injection of custom EKU OIDs into certificates.
- Golden Certificate creation involves backing up CA private keys using certutil -backupkey.
- ESC4 exploits involve modifying template attributes temporarily to enable enrollment.
- Certificates obtained can be leveraged for authentication via CredMarshalCredential and PSSession.
TAKEAWAYS:
- Native Windows tools offer stealthier methods for ADCS exploitation compared to external tools.
- Proper enumeration and validation steps are essential for successful exploitation.
- Understanding template attributes and DACLs helps identify exploitable vulnerabilities.
- Certificate-based authentication provides powerful lateral movement capabilities in Windows domains.
- Monitoring and restricting usage of certutil and certreq by regular users improves security posture.