Microsoft's Active Directory Public Key Infrastructure (PKI) implementation, known as Active Directory Certificate Services (AD CS), has largely flown under the radar by both the offensive and defensive realms. AD CS is widely deployed and provides attackers opportunities for credential theft, machine persistence, domain escalation, and subtle domain persistence.
We will present the relevant background on certificates in Active Directory, detail the abuse of AD CS through certificate theft and active malicious enrollments for user and machine persistence, discuss a set of common certificate template misconfigurations that can result in domain escalation, and explain a method for stealing a Certificate Authority's private key in order to forge new user/machine "golden" certificates.
By bringing light to the security implications of AD CS, we hope to raise awareness for both attackers and defenders alike of the security issues surrounding this complex, widely deployed, and often misunderstood system.
Lee Christensen is a technical architect at SpecterOps, where he helps research and develop offensive capabilities for use in penetration tests and red team engagements. He has an extensive background in offensive security, particularly enjoying research of Windows, Active Directory, and the components commonly found inside them. His research has resulted in several CVEs and new offensive tradecraft used throughout the industry. In addition, Lee has contributed to many open-source tools including GhostPack, BloodHound, SpoolSample, UnmanagedPowerShell, and KeeThief.
Will Schroeder is a technical architect at SpecterOps, and is an experienced operator/researcher with a focus on red teaming, Active Directory, and offensive development. He has spoken at a number of security conferences spanning from Black Hat to Troopers, and has helped develop a number of offensive projects including BloodHound, the Veil-Framework, PowerSploit, Empire, and GhostPack. He also shares the first CVE for breaking Active Directory Forest Trusts with Lee Christensen.
Karl is ServiceNow’s Director of Product Marketing, Security Operations and has over 15 years of experience in product positioning and marketing of enterprise security platforms, including SIEM, SOAR and endpoint technologies, most recently from Product Marketing roles at RSA and McAfee, where he was responsible for the positioning of their security operations and automation platforms. When not focusing on enterprise security, he can be found hiking and kayaking with his wife Rachel and their six children, yes six – it’s not a misprint!