Active Directory Certificate Services provide PKI functionalities within Active Directory.
Attack with Certify
- Enumerate certificate authorities (CAs):
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe cas
- prints additional info such as certificate templates
- Enumerate vulnerable certificate templates:
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe find /vulnerable
AD CS also serves certificate enrollment over HTTP. If NTLM authenticate is enabled, this HTTP endpoint would be vulnerable to NTLM relay attack.
Certificates may also be used for persistence.