Hacktricks-skills ad-cs-hardening
Active Directory Certificate Services (AD CS) security assessment and hardening. Use this skill whenever the user mentions AD certificates, certificate authorities, PKI, ESC vulnerabilities, certificate enumeration, or needs to assess/harden AD CS infrastructure. Make sure to use this skill for any AD CS security work, vulnerability assessments, or certificate-related hardening tasks.
install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest:
skills/windows-hardening/active-directory-methodology/ad-certificates/SKILL.MDsource content
AD Certificate Services Hardening
A comprehensive guide for assessing and hardening Active Directory Certificate Services (AD CS) environments.
Quick Start
# Enumerate CAs and templates certipy find -vulnerable -dc-only -u user@domain.local -p password -target dc.domain.local # Check for vulnerable templates with Certify Certify.exe find /vulnerable # List all certificate templates certutil -v -dstemplate
Certificate Fundamentals
Key Components
| Component | Purpose |
|---|---|
| Subject | Certificate owner identity |
| Public Key | Paired with private key for authentication |
| Validity Period | NotBefore/NotAfter dates define effective duration |
| Serial Number | Unique identifier from CA |
| Issuer | Certificate Authority that issued the certificate |
| SAN | Subject Alternative Names for multiple identities |
| Basic Constraints | CA vs end-entity designation |
| EKU | Extended Key Usages define specific purposes |
| Signature | Issuer's private key signature for authenticity |
Critical Security Considerations
Subject Alternative Names (SANs) are crucial for servers with multiple domains. Secure issuance processes are vital to prevent attackers from manipulating SAN specifications for impersonation.
Template Version Matters:
- v1 templates (e.g., default WebServer) lack modern enforcement controls
- ESC15/EKUwu vulnerability: On v1 templates, requesters can embed Application Policies/EKUs in CSRs that override template EKUs
- Recommendation: Use v2/v3 templates, remove or supersede v1 defaults, tightly scope EKUs
AD CS Architecture
Certificate Authority Containers
CN=Certification Authorities # Trusted root CA certificates CN=Enrolment Services # Enterprise CAs and templates CN=NTAuthCertificates # CA certificates for AD authentication CN=AIA (Authority Information Access) # Chain validation certificates
NTAuthCertificates Location
CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain>,DC=<com>
Enumeration & Assessment
Tools Overview
| Tool | Purpose | Key Commands |
|---|---|---|
| Certify | Enumeration & vulnerability assessment | |
| Certipy | Modern enumeration (v4+) | |
| certutil | Built-in Windows tool | |
Enumeration Commands
# Enumerate trusted root CAs and Enterprise CAs Certify.exe cas # Identify vulnerable certificate templates Certify.exe find /vulnerable # Certipy enumeration (v4+) certipy find -vulnerable -dc-only -u john@corp.local -p Passw0rd -target dc.corp.local # Request certificate via web enrollment certipy req -web -target ca.corp.local -template WebServer -upn john@corp.local -dns www.corp.local # Native Windows enumeration certutil.exe -TCAInfo certutil -v -dstemplate
Certificate Request Methods
- MS-WCCE - Windows Client Certificate Enrollment Protocol (DCOM)
- MS-ICPR - ICertPassage Remote Protocol (named pipes/TCP)
- Web Enrollment - Certificate Authority Web Enrollment role
- CES/CEP - Certificate Enrollment Service
- NDES - Network Device Enrollment Service (SCEP)
- GUI - certmgr.msc or certlm.msc
- CLI - certreq.exe or PowerShell Get-Certificate
ESC Vulnerabilities (Enterprise Security Certificates)
Critical Vulnerabilities Timeline
| Year | ID | Name | Impact | Patch Date |
|---|---|---|---|---|
| 2022 | CVE-2022-26923 | Certifried / ESC6 | Privilege escalation via PKINIT spoofing | May 10, 2022 |
| 2023 | CVE-2023-35350/35351 | Web Enrollment RCE | Remote code execution in certsrv/CES | July 2023 |
| 2024 | CVE-2024-49019 | EKUwu / ESC15 | v1 template EKU override | Nov 12, 2024 |
ESC Vulnerability Categories
| ESC | Description | Mitigation |
|---|---|---|
| ESC1 | Enrollment Agent abuse | Restrict Enrollment Agent templates |
| ESC2 | Any Purpose / No EKU | Remove from templates |
| ESC3 | PKINIT abuse | Strong certificate binding |
| ESC4 | ESC1 + ESC2 combo | Address both |
| ESC5 | ESC1 + ESC3 combo | Address both |
| ESC6 | Machine account spoofing | Patch KB5014754 |
| ESC7 | ESC1 + ESC6 combo | Address both |
| ESC8 | DC certificate issuance | Restrict DC template enrollment |
| ESC11 | RPC relay | Enforce encryption |
| ESC15 | v1 template EKU override | Use v2/v3 templates |
Hardening Recommendations
Immediate Actions
-
Patch all systems
- Apply May 2022 or later security updates
- Install KB5014754 for strong certificate binding
-
Template hardening
# Disable "Supply in the request" option # Remove Any Purpose / No EKU from templates # Require manager approval for sensitive templates -
Enrollment controls
- Restrict web enrollment (certsrv) to trusted networks
- Require HTTPS + Extended Protection
- Disable NTLM where possible
-
RPC enrollment encryption
certutil -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST
Microsoft Strong Certificate Binding (KB5014754)
Microsoft's three-phase rollout:
- Compatibility - Legacy behavior maintained
- Audit - Event ID 39/41 for weak mappings
- Enforcement - Full enforcement (automatic Feb 11, 2025)
Action items:
- Patch all DCs & AD CS servers
- Monitor Event ID 39/41 during Audit phase
- Re-issue client-auth certificates with SID extension
- Configure strong manual mappings before Feb 2025
Defender for Identity Integration
Deploy AD CS sensors to all AD CS servers for:
- Posture assessments (ESC1-ESC8, ESC11, ESC15)
- Real-time alerts:
- "Domain-controller certificate issuance for a non-DC" (ESC8)
- "Prevent Certificate Enrollment with arbitrary Application Policies" (ESC15)
Certificate Authentication
Kerberos PKINIT Process
- User requests TGT signed with certificate private key
- Domain controller validates:
- Certificate validity
- Certificate path
- Revocation status
- Trusted source
- Issuer in NTAUTH certificate store
- TGT issued on successful validation
Schannel Authentication
- TLS/SSL handshake with certificate presentation
- Certificate-to-account mapping via:
- Kerberos S4U2Self
- Subject Alternative Name (SAN)
Scripts
See the
scripts/
- AD CS enumeration helperenumerate-cs.py
- ESC vulnerability checkercheck-esc-vulns.py
- Hardening validation scripthardening-checklist.sh