ADCSESC3

This article applies to BHCE and BHE

 

The principal has permission to enroll on a certificate allowing them to obtain an enrollment agent
certificate. They also have permission to enroll for a certificate template that permits enrollment by
enrollment agents and can be used for authentication. Additionally, they also have enrollment
permissions for an enterprise CA with the necessary templates published. This enterprise CA is trusted
for NT authentication in the forest, along with the CA certificate chain up to the root CA certificate.
This setup lets the principal enroll certificates for any AD forest user or computer, enabling
authentication and impersonation of any AD forest user or computer without their credentials, unless the
target user or computer is protected by enrollment agent restrictions on the enterprise CA.

 

Abuse Info

Windows

Step 1: Use Certify to request an enrollment agent certificate.

Certify.exe request /ca:CORPDC01.CORP.LOCAL\CORP-CORPDC01-CA /template:Vuln-EnrollmentAgent

If the enrollment fails with an error message stating that the Email or DNS name is unavailable and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does not have their 'mail' or 'dNSHostName' attribute set, which is required by the certificate template. The 'mail' attribute can be set on both user and computer objects but the 'dNSHostName' attribute can only be set on computer objects. Computers have validated write permission to their own 'dNSHostName' attribute by default, but neither users nor computers can write to their own 'mail' attribute by default.

Step 2: Convert the emitted certificate to PFX format.

certutil.exe -MergePFX .\enrollmentcert.pem .\enrollmentcert.pfx 

Step 3: Use the enrollment agent certificate to issue a certificate request on behalf of another user to a certificate template that allow for authentication and permit enrollment agent enrollment.

Certify.exe request /ca:CORPDC01.CORP.LOCAL\CORP-CORPDC01-CA /template:User /onbehalfof:CORP\itadmin /enrollcert:enrollmentcert.pfx 

Save the certificate as itadminenrollment.pem and the private key as itadminenrollment.key. If the enrollment fails with an error message stating that the Email or DNS name is unavailable and cannot be added to the Subject or Subject Alternate name, then it is because the target principal does not have their 'mail' or 'dNSHostName' attribute set, which is required by the certificate template. Choose another target with the given attribute set.

Step 4: Convert the emitted certificate to PFX format.

certutil.exe -MergePFX .\itadminenrollment.pem .\itadminenrollment.pfx 

Step 5: Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target identity to impersonate and the PFX-formatted certificate created in Step 4.

Rubeus.exe asktgt /user:itadmin /domain:corp.local /certificate:itadminenrollment.pfx

 

Linux

Step 1: Use Certify to request an enrollment agent certificate.

certipy req -u 'user@corp.local' -p 'password' -dc-ip 'DC_IP' -target 'ca_host' -ca 'ca_name

If the enrollment fails with an error message stating that the Email or DNS name is unavailable and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does not have their 'mail' or 'dNSHostName' attribute set, which is required by the certificate template. The 'mail' attribute can be set on both user and computer objects but the 'dNSHostName' attribute can only be set on computer objects. Computers have validated write permission to their own 'dNSHostName' attribute by default, but neither users nor computers can write to their own 'mail' attribute by default.

Step 2: Use the enrollment agent certificate to issue a certificate request on behalf of another user to a certificate template that allow for authentication and permit enrollment agent enrollment.

certipy req -u 'user@corp.local' -p 'password' -dc-ip 'DC_IP' -target 'ca_host' -ca 'ca_name

Save the certificate as itadminenrollment.pem and the private key as itadminenrollment.key. If the enrollment fails with an error message stating that the Email or DNS name is unavailable and cannot be added to the Subject or Subject Alternate name, then it is because the target principal does not have their 'mail' or 'dNSHostName' attribute set, which is required by the certificate template. Choose another target with the given attribute set.

Step 3: Request a ticket granting ticket (TGT) from the domain, specifying the target identity to impersonate and the PFX-formatted certificate created in Step 2.

certipy auth -pfx administrator.pfx -dc-ip 172.16.126.128

 

Opsec Considerations

When the affected certificate authority issues the certificate to the attacker, it will retain a local copy
of that certificate in its issued certificates store. Defenders may analyze those issued certificates to
identify illegitimately issued certificates and identify the principal that requested the certificate, as
well as the target identity the attacker is attempting to impersonate.
 

References

This edge is related to the following MITRE ATT&CK tactic and techniques:

  • https://attack.mitre.org/techniques/T1649/

Abuse and Opsec references

 

Updated