BeyondTrust - Secure Remote Access and Privileged Access Management

In part one of this blog series, we introduced Active Directory Certificate Services (AD CS) and how misconfigurations in certificate templates can allow an attacker to authenticate as any user in the domain, including domain admins. These common, yet often unseen, privilege escalation paths pose a significant threat with severe consequences for organizations—including the potential for full domain compromise—making them a prime target for threat actors.

In this blog, we will explore ESC4, the second escalation path in our AD CS Attack Series. ESC4 presents attackers with an additional privilege escalation pathway in AD CS by exploiting weak Access Control Entries in a certificate template. This builds on the introduction to AD CS and ESC1 misconfigurations covered in part one of this series, so make sure you start there.

Domain Escalation - ESC4

Requirements

To escalate via the ESC4 path, an attacker requires any of the rights or Access Control Entries (ACEs) specified in the table below to be included in the misconfigured certificate template. These allow an attacker to edit a certificate template and introduce the ESC1 misconfigurations previously shown.

Rights

Description

Owner

Implicit full control of object, all properties can be edited

WriteOwner

Can modify the owner to an attacker-controlled principal

WriteDacl

Can modify rights to grant attacker FullControl rights

WriteProperty

Can edit all properties

FullControl

Full control of object, all properties can be edited

Exploiting ESC4 - Domain Escalation

To exploit ESC4, we need to have one of the rights to a certificate template object from the table above. Again, using the Certipy tool in our scenario, we will perform the 'find' command to identify any vulnerable ESC4 templates.

Finding Vulnerable ESC4 Templates
Our researcher uses Certipy to show how threat actors ‘find’ vulnerable ESC4 templates.

Viewing the 'TestVulnerableCertifcate2' certificate template, we can see that it is vulnerable to ESC4, as shown in the screenshot below. The 'Write Property Principals' indicates that any user in the 'Domain Users' group meets one of the conditions in the section above, opening it up to exploitation by any valid Domain User.

ESC4 vulnerable domain users 1
Certipy reveals a list of ESC4-vulnerable domain users.

Leveraging the 'WriteProperty' right we have as a Domain User in the lab, we go ahead and exploit the rights we have on the misconfigured template by editing the template with the 'template' module from Certipy in order to make this template vulnerable to ESC1 attacks.

Editing a misconfigured template
This screenshot shows a misconfigured template being edited to make it vulnerable to ESC1.

We can see below, when running the recon command from Certipy, that the 'TestVulnerableCertificate2' template is now vulnerable to ESC1.

Exploit ESC1
Exploitation of ESC1

Now we go ahead and exploit ESC1 the same way we did in the previous section. We perform a request to the Certificate Authority and have the CA issue us a certificate to authenticate as the user we provide in the 'subjectAltName'. In the example below, we provided any compromised or created user to authenticate to the domain controller—the same way we did in our previous section.

Compromised user being added during authentication
The highlighted text shows the compromised user being added during authentication.

Similar to the example shown in our previous blog on ESC1 abuse, we were able to obtain a certificate from the request above. We now use the PFX certificate to authenticate via LDAP into our lab environment, as seen in our screenshot below.

Use the PFX certificate to authenticate via LDAP
Using the PFX certificate to authenticate via LDAP

Summary of ESC4

The ESC4 attack demonstrated above shows how a certificate template with a weak access control can lead to domain escalation by allowing users to edit the template and introduce malicious misconfigurations, such as ESC1. This allows an attacker the ability to pivot into other higher-privileged accounts for domain escalation, lateral movement, and persistence.

Detecting ESC4 Abuse

In part one, we discussed how to set up the relevant log sources that can be used to detect AD CS misconfigurations. While various log sources can be used to detect the ESC4 domain escalation path, we will mainly focus on Event ID 4899.

Event ID 4899 is triggered when an attribute is updated on a certificate template. However, there are two caveats behind this Event ID. To trigger it:

  • An attacker must also enroll/request the certificate of the modified template.

  • The account making the modification is not logged.

To enrich this event, we can monitor for Event ID 4899 followed by Event ID 4887. Event ID 4887 allows us to identify the requester, and if the attacker downgraded the template to ESC1, we can also identify the SAN related to the attack.

Below, we can see an example of Event ID 4899, where attributes were modified to make the template vulnerable to the ESC1 escalation path:

Example of template vulnerable to the ESC1 escalation path
Example of template vulnerable to the ESC1 escalation path

Mitigating ESC4 Abuse

Remove Over-Permissive Template Rights

Like in ESC1, we can use the same tools to identify vulnerable templates. We can also use the ADSI Edit tool on the Domain Controller to verify if the 'Domain Users' group has ‘Write’ permissions to the 'VulnerableTemplate4' template:

Identify vulnerable templates and verify permissions
Identifying vulnerable templates and verifying permissions

If we want to mitigate the ESC4 escalation path, we remove the 'Write' privileges, which prevent Domain Users from being able to edit properties of the template:

Remove Write Privileges
Removing write privileges

Below, we verify with Certipy that 'Write' permissions have been removed from the template, which now mitigates the ESC4 escalation path:

Verify and mitigate the ESC4 escalation path
Verifying and mitigating the ESC4 escalation path

Detecting ESC4 Attacks and protecting Identities and Identity Infrastructure with Identity Security Insights® from BeyondTrust

Built to uncover identity vulnerabilities and hidden Paths to Privilege™, BeyondTrust Identity Security Insights® builds on a history of Privileged Access Management (PAM) leadership with advanced security research to enable you to enhance your identity security posture and fortify your defenses against active identity threats.

The BeyondTrust research and detection engineering teams are continuously evolving Identity Security Insights’ capabilities in response to new threat techniques by dissecting various AD CS escalation paths and providing out-of-the-box detections and recommendations to mitigate these escalation paths.

To highlight how this works, we have included a demo of how Identity Security Insights provides detections and recommendations for ESC4 attacks:

Wistia video thumbnail

This video highlights just a small part of the visibility, detections, and recommendations that Identity Security Insights offers its customers to help them defend against AD CS threats.

If you are interested in gaining holistic visibility and actionable insights into the identities, accounts, and privileges across your environment, visit beyondtrust.com/insights, or start our complimentary identity security assessment, including 30 days of threat monitoring.

The AD CS Threat Series

Don’t miss the first installment of the AD CS attack series to improve your Active Directory security and beyond. By reading the full series, you’ll learn how to defend all the privilege pathways within your domains and how to detect their active exploitation.