In the next two chapters, we will cover services that can be found in almost every environment but are not installed by default during Active Directory deployment. We will start with Active Directory Certificate Service (AD CS). This service is Microsoft’s implementation of a Public Key Infrastructure (PKI) integrated with Active Directory. It allows us to utilize public key cryptography throughout the Active Directory forest, providing certificates, digital signatures, code signing, and other capabilities. As usual, with great power comes great responsibility. AD CS has been often overlooked in terms of hardening and monitoring due to its complex nature. In June 2021, SpecterOps released a comprehensive research paper where they described known and new ways to attack AD CS[1].

We will start our learning journey by explaining the necessary PKI theory. We will then cover possible ways to steal certificates and achieve persistence...

In this chapter, you will need to have access to the following:

• VMware Workstation or Oracle VirtualBox with at least 16 GB of RAM, 8 CPU cores, and at least 55 GB of total space (more if you take snapshots)
• A Linux-based operating system is strongly recommended
• From the GOADv2 project, we will use DC03 and SRV03

In this section, we will cover the necessary theory and terminology that will be used later on in the chapter. First of all, what is public key cryptography? It is an asymmetric cryptographic system that uses a pair of related keys. Secondly, how does it work? In plain words, the user generates two keys (private and public) and uses the private key for decryption/signing the message. The second key is available for everyone (which is why it is called public) to encrypt/check the signature of the message. These two keys are mathematically tied, but it is not possible to recover the private key from the public key. Keeping in mind the concept that has just been described, we can now discuss PKI in more detail.

The most important components of PKI are the Certification Authority (CA), Registration Authority (RA), central directory, certificate management system, and certificate policy. The CA is the heart of PKI. Using its own private key, it signs the public key bound to...

This section will focus on certificate theft at the endpoint. If AD CS is deployed in the environment, chances are high that certificates are being used for domain authentication. Windows uses a certificate in .pfx format, which contains the certificate itself and the corresponding private key. However, private keys can be stored separately – for example, on specialized hardware such as Trusted Platform Modules (TPMs), Hardware Security Modules (HSMs), or smart cards. Most companies do not introduce hardware elements, and keys are stored in the operating system. Windows protects keys with the help of the Data Protection Application Programming Interface (DPAPI). For the demonstration, let us issue the khal.drogo user certificate with a non-exportable private key. We can do it via the Certificates snap-in in Microsoft Management Console (MMC). Now, we are ready to start with the practice.

THEFT1 – Exporting certificates using the CryptoAPI

There...

After an adversary gains an initial foothold, the next step is usually to establish persistence. In this section, we will only cover persistence techniques that rely on certificate usage.

PERSIST1 – Active user credential theft via certificates

Users can request a certificate from the CA in the environment for any available template that they are allowed to enroll in. An attacker will probably focus on templates allowing client authentication. An important caveat is that the template should not require manager approval or “authorized signatures” issuance requirements. This requirement defines how many digital signatures must be applied to the certificate request for approval. There is a default template called User, but it may be disabled. To find any other available templates, we can use a tool called Certify[9]. The following command will send LDAP queries and show available templates:

Certify.exe find /clientauth

The result of...

In this section, we will explore practical techniques to escalate privileges by exploiting various security issues, such as template and extension misconfigurations (ESC1, 2, 3, 9, and 10), improper access controls (ESC4, 5, and 7), CA misconfiguration (ESC6), and relay attacks (ESC8 and 11). I have chosen such a grouping of the attacks from[12]. But to begin with, we will start with a critical vulnerability discovered by Oliver Lyak, called Certifried, which evolves into ESC9 and ESC10 after the patch.

Certifried (CVE-2022-26923)

This vulnerability has much in common with samAccountName spoofing (CVE-2021-42278). Original research by the author is published here[13].

In AD CS, by default, there are two authentication certificates: user and machine. Every user account has a User Principal Name (UPN) that must be unique. The UPN is embedded into the certificate and used by KDC during authentication. Computer accounts do not have a UPN, as dNSHostName...

In this section, we will explore techniques to achieve persistence in the domain using a compromised CA. We will gain an understanding of the typical vectors an adversary will utilize to keep high-privileged access to the environment and explore approaches to detect such activities.

DPERSIST1 – Forge certificates with stolen CA certificate

If an adversary has compromised a CA and obtained a CA certificate with a corresponding private key, it is possible to forge any certificate in the domain environment. To differentiate the CA certificate from others, pay attention to certain characteristics such as the following:

• The issuer and subject are set to the distinguished name of the CA
• It has a “CA Version” extension
• No EKU

These characteristics are shown in the following screenshot:

Figure 8.44 – CA certificate information

It is important to mention that forged certificates cannot...

In this chapter, we learned about techniques to compromise AD CS. The techniques presented in the chapter were grouped into four categories: theft, account persistence, domain privilege escalation, and domain persistence.

In the theft category, we covered different ways to steal certificates from a compromised endpoint. Next, we introduced you to account persistence techniques, such as the request and renewal of user and machine certificates. Also, we learned about domain privilege escalation and persistence techniques, respectively, to achieve the highest privileges on the domain level as well.

In the next chapter, we will dive into Microsoft’s solution for databases – Microsoft SQL Server. We will cover offensive techniques, prevention, and detection recommendations.

1. SpecterOps – Certified Pre-Owned: https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf
2. Microsoft official documentation about AD CS: https://learn.microsoft.com/en-us/training/modules/implement-manage-active-directory-certificate-services/2-explore-fundamentals-of-pki-ad-cs
3. PassTheCert tool: https://github.com/AlmondOffSec/PassTheCert
4. Certificate authentication without PKINIT: https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html
5. Hunting for AD CS abuse: https://speakerdeck.com/heirhabarov/hunting-for-active-directory-certificate-services-abuse
6. CertStealer tool: https://github.com/TheWover/CertStealer
7. SharpDPAPI tool: https://github.com/GhostPack/SharpDPAPI
8. Detecting UnPAC-the-hash and Shadow Credentials attacks: https://medium.com/falconforce/falconfriday-detecting-unpacing-and-shadowed-credentials-0xff1e-2246934247ce
9. Certify tool: https://github.com/GhostPack...