The NTAuthStore is the Enterprise NTAuth store (NTAuthCertificates object) for the the AD forest of the domain node. The NTAuthStore holds the list of certificates trusted for authentication in the AD forest of the domain. When a user attempts to authenticate against a domain with a certificate, a domain controller will verify that the certificate is signed by a certificate in the NTAuthStore.
Abuse Info
An attacker may perform several attacks that rely on certificates being stored in the NTAuthStore, such as ESC1. This relationship alone is not enough to escalate rights or impersonate other principals. This relationship may contribute to other relationships and attributes, from which an escalation opportunity may emerge.
Opsec Considerations
When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.
References
This edge is related to the following MITRE ATT&CK tactic and techniques:
- https://attack.mitre.org/techniques/T1649/
Abuse and Opsec references
- https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf
- https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication#BKMK_CertificatesInWindowsAuthentication
- https://www.pkisolutions.com/understanding-active-directory-certificate-services-containers-in-active-directory/
- https://www.ravenswoodtechnology.com/components-of-a-pki-part-2/
Updated