H3-2022-0019

Active Directory Certificate Services - Template May Be Requested by Enrollment Agent Signature

Description

Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. Principals can request PKI Certificates based on collections of enrollment policies and predefined certificate settings known as Certificate Templates. A misconfigured ADCS Certificate Template has an EKU allowing Domain Authentication, and may be requested by an Enrollment Agent. In order to be abused by an attacker, a vulnerable Enrollment Agent template must also be present in the environment. See 'Certified Pre-Owned: Misconfigured Enrollment Agent Templates -ESC3' for additional details.

Impact

If attackers have access to an Enrollment Agent Certificate, they can utilize it to sign a certificate request for this vulnerable template 'on behalf of' a Domain Administrator - leading to Domain Privilege Escalation.

References

• Certified Pre-Owned: Abusing Active Directory Certificate Services
• SpectreOps - Certified Pre-Owned
• MITRE ATT&CK Technique: T1649: Steal or Forge Authentication Certificates