mspki-certificate-name-flag
flag for a template that allows for domain authentication) this results in the same domain compromise scenario [...]" (specterops.io) as the one based on misconfigured certificate templates where low-privs users can specify an arbitrary SAN (subjectAltName
) and authenticate as anyone else. ManageCA
right and the ManageCertificates
right, which translate to the “CA administrator” and “Certificate Manager” (sometimes known as a CA officer) respectively. known as Officer rights)" (specterops.io). EDITF_ATTRIBUTESUBJECTALTNAME2
bit to allow SAN specification in any template (c.f. CA misconfiguration).CN=Public Key Services,CN=Services,CN=Configuration,DC=DOMAIN,DC=LOCAL
(e.g., the Certificate Templates container, Certification Authorities container, the NTAuthCertificates
object, the Enrollment Services
Container, etc.) If a low-privileged attacker can gain control over any of these, the attack can likely compromise the PKI system.Certificate-Enrollment
rights over the enrollment services (i.e. CA) and over the certificate template (source).Certificate-Enrollment
rights to a "controlled AD object" over a specific template. In order to achieve this, the attacker needs to have enough rights (i.e. WriteDacl
) over the certificate template.PEND_ALL_REQUESTS
flag in mspki-enrollment-flag
for disabling Manager Approvalmspki-ra-signature
attribute to 0
to disable Authorized Signature requirementENROLLEE_SUPPLIES_SUBJECT
flag in mspki-certificate-name-flag
to allow requesting users to specify another privileged account name as a SANmspki-certificate-application-policy
to a certificate purpose for authentication1.3.6.1.5.5.7.3.2
)1.3.6.1.4.1.311.20.2.2
)1.3.6.1.5.2.3.4
)2.5.29.37.0
)-scheme
flag can be used to set whether to use LDAP or LDAPS.EDITF_ATTRIBUTESUBJECTALTNAME2
attribute, restart the CertSvc
service, and abuse ESC6 (CA configuration abuse).CertSvc
service to enable the EDITF_ATTRIBUTESUBJECTALTNAME2
attribute,the built-in template SubCA can be usefull.CERTSRV_E_TEMPLATE_DENIED
errror and will obtain a request ID with a corresponding private key.-scheme
flag can be used to set whether to use LDAP or LDAPS.-scheme
flag can be used to set whether to use LDAP or LDAPS.