Secondary Categories: 02-Lateral Movement, 02-Credential Access, 02-Information Gathering
Finding Vulnerable Certificate Templates
Once in a AD environment, we can find vulnerable certificate templates or even utilize certificate templates as another method to authenticate to systems or request other information.
Depending on the current state we can either use certipy or certify.
certify.exe find --vulnerable
#Return all templates
certipy find -u [email protected] -p Passw0rd -dc-ip 172.16.126.128
#Only display vulnerable templates
certipy find -u [email protected] -p Passw0rd -dc-ip 172.16.126.128 -vulnerable
Manually Requesting Certificate from AD CS
Mitigation
One of easiest ways to assist in detecting exploitation of AD CS is to enable Certificate Authority logging. By default AD CS does nto enable by default, which in the case of an incident will prevent an organization from responding to an incident.
#Enable CA Logging
certutil.exe -setreg CA\AuditFilter 127
Itβs also recommended to perform regualr auditing with tools such as PSPKIAudit to detect vulnerable certificate templates:
Resources:
Also Check Out:
- PLACEHOLDER