ADCS

Active Directory Certificate Services (ADCS) | PKI | Certificate Authority (CA)

---

Active Directory Certificate Services (AD CS) is a Windows server feature that helps organizations create and manage their own Public Key Infrastructure (PKI). Where Public Key Infrastructure (PKI) is a system that uses digital certificates and public key cryptography to secure communication over unsafe networks, like the Internet.

A certificate is a digitally signed document in X.509 format that can be used for encryption, message signing, or authentication. Certificates contain key information, such as:

• Subject: The identity of the certificate owner.
• Public Key: Links the subject to their private key.
• Validity Dates: Shows when the certificate starts and ends being valid.
• Serial Number: A unique ID given by the issuing authority.
• Issuer: The entity that issued the certificate (usually a Certificate Authority or CA).
• Subject Alternative Name: Other names associated with the subject.
• Basic Constraints: Defines if the certificate is for a CA or end-user, and its allowed uses.
• Extended Key Usages (EKUs): Describes specific uses for the certificate, like code signing, securing emails, or smart card logins.
• Signature Algorithm and Signature: Shows the algorithm and signature used by the issuer to sign the certificate.

Certificate Authorities (CAs) are trusted entities that issue certificates. Certificate templates are used to define certificate settings, such as usage policies, validity periods, subject details, and who can request them. Certificates can extend Kerberos authentication using PKINIT (Public Key Cryptography for Initial Authentication).

Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) is a system that uses digital certificates and public key cryptography. This is done to provide secure communication over unsecured network like the internet. PKI enables signatures, ecnryption and authentication of documents, email.

A certificate is a document that binds a public key to a person, organization, device or service. It is issued and signed by a trusted Certificate Authority (CA). The CS verifies identity of certificate holder and integrity of public key.

The certificate includes:

• Public key
• Name of subject
• Name of issuer
• Validity period

What is ADCS?

Active Directory Certificate Services (AD CS) is a Windows server role that enables organizations to establish and manage their own Public Key Infrastructure (PKI). It is used to secure network services like SSL/TLS, VPN, Remote Desktop Services, WLAN.

Active Directory Certificate Services includes:

• Digital certificates
• Certificate Authority
• Certificate Templates
• Key Pair generation
• Certificate Revocation
• Secure communication
• Digital Signatures
• Encryption and Decryption
• Enhanced Security and Identity Managemen

Certificates

A certificate is an X.509-formatted digitally signed document serves purposes like encryption, message signing, and authentication. It consists of multiple key fields:

• Subject: Certificate owner's identity.
• Public key: Links subjects to a private key.
• Issuer: Identifies the certifcate issuer
• SubjectAlternativeName: Alternative names associated with subject.
• Basic Constraints: Defines if certificate is a CA or entity.
• Extende Key Usages (EKUs): Object identifiers describing usage over code signing, ecrypting file sytems, secuer email, client and server authentication.

Certificate Authorities

Certificate Authorities (CAs) serve as pivotal entities responsible for the issuance of certificates, which play a crucial role in validating digital identities, enabling secure communications, and establishing trust within networks.

Container/AD Object	Description	Purpose
Certification Authorities	Defines root CA certificates that establish the trust foundation in AD CS environments.	Trusted Root Certification Authorities store on Windows machines, enabling certificate trust verification.
Enrollment Services	Hosts Enterprise CA objects enabled in AD CS, managing attributes like certificate templates and DNS hostnames.	Supports client certificate requests and deployment to Intermediate Certification Authorities store.
NTAuthCertificates	Defines CA certificates required for authentication to Active Directory.	Ensures client certificates used for AD authentication are signed by trusted CAs.
AIA (Authority Information Access)	Contains intermediate and cross-CA objects for validating certificate chains.	Aids in certificate chain validation, with intermediate CAs in the Intermediate Certification Authorities store.

Certificate Templates

AD CS Enterprise CAs use certificate templates. Template are managed through the Certificate Template feature and are stored as AD object as objectClass pKICertificateTemplate. Settings are defined through attributes security descriptors enroll permisions and template edits.

The pKIExtendedKeyUsage attribute in an Active Directory (AD) certificate template defines which specific Extended Key Usage (EKU) functionalities are allowed for certificates issued using that template.

EKUs are represented by unique identifiers called Object Identifiers (OIDs), and they determine what the certificate can be used for, such as client authentication, code signing, or smart card logon. SpecterOps research focused on EKUs that enable authentication to AD when present in a certificate.

Enrollment Process

Find an Enterprise CA

Client finds an Enterprise CA. Based on objects in enrollment services container.

1. Generate a public-private key pair and create a CSR
   Client generates a public-private key par, CSR message or certificate signing request.

2. Sign the CSR with private key and send to Enterprise CA server
   Clients signs CRS with private key and sends it to CA server.

3. CA check if the client is authorized to request certificates
   CA server check if client is authorized to request certificates. CA check if certificate template AD objects permissions allow it to obtain a certificate.

4. CA generate the certificate, sign it and if allowed, send it to the client
   CA generates a certificate with settings defined by the certificate template like the EKUs.

5. The Client Receive the certificate:
   Client stores certifcate in Windows Certificate store to use EKU.

ADCS Enumeration

When Active Directory Certificate Services (AD CS) is present and doing a security check find out what server is running the ADCS, which can be the DC but usually its own server.

Enumeration From Windows

On factor indicating ADCS is present is the built-in Cert Publishers group which authorizes Certificate Authorities to publish certificates to the directory indicating a ADCS server.

# Query Cert Publishers group
net localgroup "Cert Publishers"

Certify can be used to find and exploit ADCS misconfigurations, find binaries here https://github.com/Flangvik/SharpCollection/blob/master/NetFramework_4.7_x64/Certify.exe

Enumerate ESC9 from Windows

.\Certify.exe find

Enumeration from Linux

netexec ldap 10.129.205.199 -u "blwasp" -p "Password123!" -M adcs

Or with Certipy

certipy find -u 'BlWasp@lab.local' -p 'Password123!' -dc-ip 10.129.205.199 -stdout

Certificate Mapping

Certificate mapping is relevant for ESC6, ESC9 and ESC10 attacks. Certificate mapping connects a certificate to the specific user or machine it belongs to. This ensures that when a certificate is used, it can only be associated with its rightful owner in Active Directory.

Types of Certificate Mapping

• Explicit mapping: The account's altSecurityIdentities attribute contains the certificate’s identifier and certificate must match this value and be issued by a trusted CA.
• Implicit mapping: Information in the certificate's Subject Alternative Name (SAN) field is used to map it to the account, such as: UPN or DNS.

Kerberos Certificate Mapping

When certificates are used for Kerberos authentication, the StrongCertificateBindingEnforcement registry key determines how the mapping is handled:

• Disabled mode: If certificat contains a UPN, kerberos tries to match with UPN, else sAMAccountName.
• Compatibility mode: Default, explicit mapping exists (altSecurityIdentities), authentication is allowed.
• Full Enforcement mode: Strong mapping is required (either explicit mapping or validation of the security extension). If neither is present, authentication fails.