Theory

AD CS is Microsoft’s PKI implementation that provides everything from encrypting file systems, to digital signatures, to user authentication (a large focus of our research), and more. While AD CS is not installed by default for Active Directory environments, from our experience in enterprise environments it is widely deployed, and the security ramifications of misconfigured certificate service instances are enormous. (specterops.io)

In their research papers, Will Schroeder and Lee Christensen shared their research on AD CS and identified multiple theft, escalation and persistence vectors.

• Credential theft (dubbed THEFT1 to THEFT5)

• Account persistence (dubbed PERSIST1 to PERSIST3)

• Domain escalation (dubbed ESC1 to ESC8)

  • based on misconfigured certificate templates

  • based on dangerous CA configuration

  • related to access control vulnerabilities

  • based on an NTLM relay vulnerability related to the web endpoints of AD CS

• Domain persistence (dubbed DPERSIST1 to DPERSIST3)

  • by forging certificates with a stolen CA certificates

  • by trusting rogue CA certificates

  • by maliciously creating vulnerable access controls