Active Directory Certificate Services

Active Directory Certificate Services (AD CS) is a Windows Server role for issuing and managing Public Key Infrastructure (PKI) certificates used in secure communication and authentication protocols.

In the last few years, a number of possible AD CS misconfigurations, leading to privilege escalation and persistence in an Active Directory environment, have been published by security researchers and exploited by threat actors.

Active Directory objects linked to AD CS

A number of Active Directory objects, stored in the Configuration naming context, are related to Active Directory Certificate Services (and potentially third-party Certification Authority). As any objects stored in the Configuration naming context, the objects are replicated on all the Domain Controllers forest-wide.

Certificate templates

Certificate templates are domain objects of type pKICertificateTemplate, stored under the CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<DOMAIN>,DC=<TLD> container, that govern the certificates that can be requested to and delivered by the Active Directory Certificate Services (AD CS).

A certificate template notably defines a number of parameters for the certificates issued through the template:

• The way the Subject Name and Subject Alternative Name (Subject Alternative Name) of the certificates will be constructed. The subject information can be either build:

  • automatically based on Active Directory information of the principal making the request (User Principal Name (UPN), Service Principal Name (SPN), DNS name, etc.).

  • using user-supplied data provided in the certificate request. In such case, the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT (0x1) in the msPKI-Certificate-Name-Flag attribute is set (and the attribute thus has an odd value).

• The issued certificates validity period.

• The cryptographic parameters of the certificates (the Cryptographic Services Provider (CSP) and the minimum key size used for instance).

• The X509v3 extensions added to the certificates, including the Extended / Enhanced Key Usage (EKU) extension (introduced in more details below). The extensions define the purpose of the certificates.

• Eventual issuance requirements:
  • Approval of a certificate manager to validate (or deny) the certificate request. This setting will set the CT_FLAG_PEND_ALL_REQUESTS (0x02) flag in the certificate template msPKI-Enrollment-Flag attribute. Certificate requests will be keep in a pending state, awaiting for action of the certificate manager.

Additionally, certificate templates are securable objects, and the access control rights defined in a certificate template’s Access Control List (ACL) govern the operations that can be conducted on the template itself and the principals that can enroll to the template. Refer to the [Active Directory] ACL exploiting - Active Directory Certificate Services note for more information on the certificate templates ACL.

Extended / Enhanced Key Usage extension

The Extended / Enhanced Key Usage (EKU) extension is a certificate extension (i.e an additional attribute) that defines the purposes of the certificate, effectively restricting what the certificate can be used for in an Active Directory environment. This extension is implemented by the pKIExtendedKeyUsage attribute on Active Directory certificate template object.

The EKU extension is composed of 0 or more Object Identifier (OID), each OID corresponding to a specific purpose. The following notable OIDs are supported in Active Directory:

If no OID is specified in the EKU extension, the certificate will by default be valid for all usages in Windows, including client authentication. Applications may however rely on the Constrained EKU validation mode, as implemented by Microsoft, which determine the valid usage of the certificate using only the explicitly specified purposes (in all the certificate of the chain).

Arbitrary / user-controlled Subject Alternative Name (ESC1)

As specified in the certificate processing logic in the Microsoft documentation, if an User Principal Name (UPN) is specified in a certificate’s subjectAltName field, the UPN is used to map the certificate to an user account in Active Directory and conduct the PKINIT authentication as that user. Having control on the Subject Alternative Name for which the certificate will be emitted can thus be leveraged for privilege escalation, notably if the certificate template supports client authentication (and can be requested under the current privileges). For example, in such circumstances, an unprivileged user could request a certificate specifying a more privileged principal, such as the domain Administrator account or a member of the Domain Admins group, and later use the certificate to authenticate under the impersonated principal.

The Subject Alternative Name for which the certificate will be emitted is user-controlled if either:

• The specific certificate template is configured to use user-supplied data provided in the certificate request to define the subjectAltName (i.e, as noted above, the template msPKI-Certificate-Name-Flag attribute’s CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT (0x1) flag is set).

• A Certificate Authority server has, in its HKEY_LOCAL_MACHINE registry hive, the EDITF_ATTRIBUTESUBJECTALTNAME2 (0x00040000) flag set. As stated in the Microsoft documentation, if this flag is set, user-supplied alternative names are allowed for any certificate template published by the given Certificate Authority server.

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA_NAME>\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags
  

Enrollment rights

To enroll for a certificate template, the following conditions must be meet:

• The certificate template must be published by at least one Certificate Authority. The certificate templates published by a given CA are defined in the certificateTemplates attribute of the CA’s Enrollment Service (pKIEnrollmentService) object.

• The given principal must be able to enroll to a CA publishing the certificate template (Certificate-Enrollment or Certificate-AutoEnrollment extended rights).

• The given principal must have enrollment rights for the certificate template. The enrollment rights are defined on the certificate template object’s ACL (notably the Certificate-Enrollment or Certificate-AutoEnrollment rights).

Certificate templates enumeration

Multiple tools and utilities can be used to enumerate the certificate templates:

• Windows built-in certutil
• Certify
• Invoke-Leghorn
• Certipy
• PingCastle’s healthcheck

Additionally, FarsightAD can be used to enumerate certificate templates and retrieve timestamps of last modification for critical attributes (msPKI-Certificate-Name-Flag, msPKI-Enrollment-Flag, nTSecurityDescriptor).

# Requires PowerShell 7+.

. .\FarsightAD.ps1

Export-ADHuntingADCSCertificateTemplates [-Server <DC_IP | DC_HOSTNAME>] [-Credential <PS_CREDENTIAL>] [-ADDriveName <AD_DRIVE_NAME>] [-OutputFolder <OUTPUT_FOLDER>] [-ExportType <CSV | JSON>]

AD CS operations artefacts

Windows ETW

A number of non-default Windows events can be generated by Active Directory Certificate Services on certificate operations, such as certificate template updates, certificate requests, etc.

For events to be logged, the following conditions must be meet:

• Advanced auditing policy is enforced and Audit Certification Services is enabled.
• The audit filter the event(s) are enabled on the CA(s) (for example through: Certificate Authority Properties - in Certificate Services MMC snap-in -> Auditing -> ).
• For the certificate template change events to be recorded (events 4898, 4898, and 4900), the specific audit configuration flag EDITF_AUDITCERTTEMPLATELOAD must be enabled: certutil –setreg policy\EditFlags +EDITF_AUDITCERTTEMPLATELOAD.

Active Directory Domain Services artefacts

AD userCertificate attribute

The userCertificate attribute of a user / computer object is a multi-value attribute that contains the public key of X.509 certificates issued to the principal through AD CS. The userCertificate attribute is composed of an array of nested byte arrays, containing the certificate objects.

The public key of the certificate issued to a principal is stored in this attribute only if the Publish to Active Directory is set in the Certificate Template associated with the certificate. This setting is configured by default for some certificate templates.

The following PowerShell cmdlet, from FarsightAD, can be used to parse a (single) userCertificate attribute:

function Get-X509CertificateStringFromUserCertificate {
<#
.SYNOPSIS

Return a formatted string constructed from an object's userCertificate attribute.

.PARAMETER userCertificate

Specifies the Certificates attribute.

.OUTPUTS

[string]

#>

    Param(
        [Parameter(Mandatory=$True)] $userCertificate
    )
    
    $CertificatesString = ""
    
    for ($i = 0; $i -lt $userCertificate.Count; $i++) {
        # Requires PowerShell >= v5.
        # New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($userCertificate[$i]) bugs in PowerShell v7+.
        $X509Certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new([byte[]] $userCertificate[$i])
        $EnhancedKeyUsageListString = If ($X509Certificate.EnhancedKeyUsageList) { [string]::join("-", $X509Certificate.EnhancedKeyUsageList) } Else { "None" }
        $X509CertificateAsString = [string]::Format("SerialNumber={0}|Subject={1}|NotBefore={2}|NotAfter={3}|EnhancedKeyUsageList={4}", $X509Certificate.SerialNumber, $X509Certificate.Subject, $X509Certificate.NotBefore, $X509Certificate.NotAfter, $EnhancedKeyUsageListString)
        $CertificatesString += "$X509CertificateAsString;"
    }

    return $CertificatesString
}

$account = Get-ADObject -Properties userCertificate [...]
Get-X509CertificateStringFromUserCertificate -userCertificate $account.userCertificate

Additionally, FarsightAD’s Export-ADHuntingPrincipalsCertificates can be used to enumerate and parse users / computers certificates, identifying certificates valid for client authentication. A number of parameters are retrieved for each certificate: certificate validity timestamps, certificate purpose, certificate subject and eventual SubjectAltName(s).

The cmdlet highlights SubjectAltName that do not match the associated account UPN and will attempt to determine if the SubjectAltName is linked to a privileged account. The last modification timestamp, from AD replication data, is also retrieved for all userCertificate attributes.

Export-ADHuntingPrincipalsCertificates [-Server <DC_IP | DC_HOSTNAME>] [-Credential <PS_CREDENTIAL>] [-OutputFolder <OUTPUT_FOLDER>] [-ExportType <CSV | JSON>]

References

• Wavestone - Jean Marsault - Microsoft ADCS – Abusing PKI in Active Directory Environment

• SpecterOps - Will Schroeder & Lee Christensen - Certified Pre-Owned (synthesis)

• SpecterOps - Will Schroeder & Lee Christensen - Certified Pre-Owned

• Sysadmins LV - Vadims Podans - Understanding Active Directory Certificate Services containers in Active Directory

• ldapwiki - ExtendedKeyUsage

• Sysadmins LV - Vadims Podans - Constraining Extended Key Usages in Microsoft Windows

• KEYFACTOR Hidden Dangers: Certificate Subject Alternative Names (SANs)

• decoder - A “deep dive” in Cert Publishers Group

• Uwe Gradenegger - Overview of audit events generated by the Certification Authority

• Microsoft - Securing PKI: Monitoring Public Key Infrastructure