๐ ๏ธย Practical Bits
๐๐ผ ๐๐ผ๐ ๐ฟ๐๐ป ๐๐ฐ๐๐ถ๐๐ฒ ๐๐ถ๐ฟ๐ฒ๐ฐ๐๐ผ๐ฟ๐ ๐๐ฒ๐ฟ๐๐ถ๐ณ๐ถ๐ฐ๐ฎ๐๐ฒ ๐ฆ๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ๐ (๐๐ ๐๐ฆ)?
When was the last time you checked it for vulnerabilities?
In security assessments this isย ๐ฒ๐๐ฒ๐ฟ๐ด๐ฟ๐ฒ๐ฒ๐ปย โ itโs common to find at least one certificate template that gives a ๐จstraight path toย ๐๐ผ๐บ๐ฎ๐ถ๐ป ๐๐ฑ๐บ๐ถ๐ป.
โก๏ธ Set asideย one hourย and scan your AD CS. Itโs one of the ๐ต๐ถ๐ด๐ต๐ฒ๐๐-๐ถ๐บ๐ฝ๐ฎ๐ฐ๐ โquick winsโ you can do.
๐ฏ ๐ฝ๐ฟ๐ฎ๐ฐ๐๐ถ๐ฐ๐ฎ๐น ๐๐ฎ๐๐ ๐๐ผ ๐ฐ๐ต๐ฒ๐ฐ๐ธ:
1๏ธโฃ ๐ ๐ฎ๐ป๐๐ฎ๐น ๐ฟ๐ฒ๐๐ถ๐ฒ๐ (slow, but educational)
Start with templates whereย non-privileged groupsย have permissions and then verify whether itโs dangerous. Watch for things like:
โช๏ธ Configurable SAN
โช๏ธ Authentication purpose EKU,ย Any Purpose, orย empty EKU
โช๏ธ EDITF_ATTRIBUTESUBJECTALTNAME2
โช๏ธ There are nowย 10+ ESCย cases, so only do this if youโre ready to go through each one.
2๏ธโฃ ๐ฃ๐ผ๐๐ฒ๐ฟ๐ฆ๐ต๐ฒ๐น๐น ๐ฐ๐ต๐ฒ๐ฐ๐ธ๐ (no tooling, fast)
Use prepared PowerShell queries โ or take inspiration fromย ๐๐๐ฃ๐ฟ๐ผ๐ฏ๐ฒย (it checksย ESC1, ESC2, ESC3, ESC4, ESC6, ESC8). Since itโs โjust PowerShellโ, you can reuse the exact parts you need without running it whole.
3๏ธโฃ ๐๐ผ๐ฐ๐ธ๐๐บ๐ถ๐๐ต (quick confidence check)
If you want the โtell me whatโs wrongโ option:ย ๐๐ผ๐ฐ๐ธ๐๐บ๐ถ๐๐ตย byย Jake Hildrethย can identifyย ESC1โESC16, and it can also suggest fixes (or apply them, depending on how you run it).
Whatever method you pick โย pick one. AD CS is too often the easiest escalation path sitting in plain sight.
