Secondary Categories: 02-Lateral Movement, 02-Credential Access, 02-Information Gathering

Finding Vulnerable Certificate Templates

Once in a AD environment, we can find vulnerable certificate templates or even utilize certificate templates as another method to authenticate to systems or request other information.

Depending on the current state we can either use certipy or certify.

certify.exe find --vulnerable
#Return all templates
certipy find -u [email protected] -p Passw0rd -dc-ip 172.16.126.128
 
#Only display vulnerable templates
certipy find -u [email protected] -p Passw0rd -dc-ip 172.16.126.128 -vulnerable

Manually Requesting Certificate from AD CS

Mitigation

One of easiest ways to assist in detecting exploitation of AD CS is to enable Certificate Authority logging. By default AD CS does nto enable by default, which in the case of an incident will prevent an organization from responding to an incident.

#Enable CA Logging
certutil.exe -setreg CA\AuditFilter 127

It’s also recommended to perform regualr auditing with tools such as PSPKIAudit to detect vulnerable certificate templates:


Resources:

Also Check Out:

  • PLACEHOLDER