Security researchers have uncovered critical vulnerabilities in Microsoft’s Active Directory Certificate Services (AD CS) that could allow attackers to establish long-term persistence in compromised networks.
The findings, detailed in a comprehensive whitepaper by Will Schroeder and Lee Christensen, reveal how AD CS misconfigurations can be exploited for credential theft, privilege escalation, and domain persistence.
AD CS, Microsoft’s implementation of Public Key Infrastructure (PKI) in Active Directory environments, is widely deployed but often overlooked from a security perspective.
Microsoft defines Active Directory Certificate Services (AD CS) as “the server role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
“AD CS Enterprise CAs issue certificates with settings defined by certificate templates. These templates are collections of enrollment policies and predefined certificate settings and contain things like “How long is this certificate valid for?”, “What is the certificate used for?”, “How is the subject specified?”, “Who can request a certificate?”, and a myriad of other settings,” researchers added.
The researchers identified several attack vectors that leverage AD CS components:
- Certificate Theft: Attackers can extract user and machine certificates, including their private keys, from compromised systems. This allows impersonation of users and machines for authentication purposes.
- Malicious Certificate Enrollments: Low-privileged users can potentially enroll in certificate templates that grant elevated privileges, leading to domain escalation.
- Certificate Template Misconfigurations: Certain template settings, such as allowing requesters to specify Subject Alternative Names (SANs), can be abused to request certificates for any user in the domain, including administrators.
- EDITF_ATTRIBUTESUBJECTALTNAME2 Flag: If enabled on a Certificate Authority (CA), this setting allows attackers to specify arbitrary SANs in certificate requests, potentially leading to privilege escalation.
- CA Private Key Theft: Compromising a CA’s private key enables attackers to forge certificates for any principal in the domain, granting persistent access that cannot be easily revoked.
One of the most severe scenarios involves exploiting misconfigured certificate templates. Suppose a template allows requesters to specify SANs and has an Extended Key Usage (EKU) that permits domain authentication. In that case, an attacker can request a certificate for any user, including domain administrators. This effectively grants the attacker domain admin privileges.
The researchers developed a Certify tool to enumerate AD CS misconfigurations and request malicious certificates. Another tool, ForgeCert, allows attackers to create forged certificates using a stolen CA private key.
To mitigate these risks, organizations should:
- Treat CA servers as Tier 0 assets, applying the same security measures as domain controllers.
- Audit and harden certificate template settings, especially those related to SAN specification and enrollment permissions.
- Disable the EDITF_ATTRIBUTESUBJECTALTNAME2 flag on CAs.
- Implement strict user mappings for certificate authentication.
- Protect CA private keys using hardware security modules (HSMs).
- Monitor certificate enrollments, authentications, and template modifications.
The researchers emphasize that while AD CS is not inherently insecure, its complexity and often misunderstood nature make it prone to misconfigurations. Many of these vulnerabilities stem from a lack of awareness about the security implications of various AD CS settings.
As organizations increasingly rely on PKI for authentication and encryption, it’s crucial to understand and properly secure AD CS deployments. Failure to do so could leave networks vulnerable to sophisticated persistence techniques that are difficult to detect and remediate.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar