AD CS (Across Domain Trusts)
Active Directory Certificate Services (AD CS) enables use of Public Key Infrastructure (PKI) in active directory forest.
AD CS helps in authenticating users and machines, encrypting and signing documents, file-system, emails and more.
"AD CS is the Server Role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization."
CA - The certification authority that issues certificates. The server with AD CS role (DC or separate) is the CA.
Certificate - Issued to a user or machine and can be used for authentication, encryption, signing etc.
CSR - Certificate Signing Request made by a client to the CA to request a certificate.
Certificate Template - Defines settings for a certificate. Contains information like - enrollment permissions, EKUs, expiry etc.
EKU OIDs - Extended Key Usages Object Identifiers. These dictate the use of a certificate template (Client authentication, Smart Card Logon, SubCA etc.)
Ways of Abusing ADCS:
Extract user and machine certificates
Use certificates to retrieve NTLM hash
User and machine level persistence
Escalation to Domain Admin and Enterprise Admin
Domain persistence
Enumerating AD CS using Certify
We can use the Certify tool (https://github.com/GhostPack/Certify) to enumerate (and for other attacks) AD CS in the target forest:
Enumerate the templates.:
Enumerate vulnerable templates:
Last updated