ReCertifying Active Directory Certificate Services
Conference: BlackHat USA 2021
2021-11-11
Summary
The presentation discusses the dangers of mishandling Active Directory Certificate Services (ADCS) and provides insights on how attackers can exploit it. It also offers recommendations on how to protect against these attacks.
- ADCS can be dangerous if not handled properly and attackers are using it to their advantage
- The presentation details various attacks that can be executed using ADCS, including certificate theft, persistence, domain escalation, and domain persistence
- The tool Certify can be used to enumerate vulnerable templates and request templates for abuse
- Defenses include developing an incident response plan, auditing relevant event logs, and checking out the white paper for guidance
- Acknowledgements are given to previous work and collaborators
Abstract
Microsoft's Active Directory Public Key Infrastructure (PKI) implementation, known as Active Directory Certificate Services (AD CS), has unfortunately flown under the radar of the defensive industry. AD CS is widely deployed and provides attackers opportunities for credential theft, machine persistence, domain escalation, and subtle domain persistence. We present relevant background on certificates in Active Directory, briefly overview the attacks possible, and present preventive, detective, and indecent response guidance for how to secure organizations against these abuses. By presenting the most comprehensive guidance on securing AD CS we hope to give organizations the information and tools they need to secure these complex, widely deployed, and often misunderstood systems.
Materials:
Tags: