Attack Overview
- Find vulnerable certificate templates.
- Use a vulnerable template to generate a certificate for a target user.
- Authenticate using the certificate.
Enumerate vulnerable templates using Certify:
Requirements for a certificate to be usable in an attack:
msPKI-Certificate-Name-Flag
containsENROLLEE_SUPPLIES_SUBJECT
, which allows an attacker to specify an Subject Alternative Name (i.e. create a certificate under anyone) while creating the certificate.pkiextendedkeyusage
containsClient Authentication
, which means certificates generated from this template can be used for authentication.Enrollment Rights
contains a principal that the attacker controls.- Alternatively, a certificate template can be modified to fit the above requirements if the attacker has
WriteOwner
,WriteDacl
, orWriteProperty
permission on the template.
To generate a certificate, run Certify.exe request
with the FQDN of the CA that serves the template, the name of the template, and what user this certificate may authenticate as. All of the information is avilable in find
output.
Save the generated private key and certificate into a cert.pem
file. The Certify command above will also output an openssl
command to convert cert.pem
to a cert.pfx
usable for authentication (do this on a Linux host). Base64-encode the pfx file contents for Rubeus.
To obtain a TGT with the certificate base64: