Active Directory - Certificate ESC9
ESC9 - No Security Extension
Requirements
StrongCertificateBindingEnforcement
set to1
(default) or0
- Certificate contains the
CT_FLAG_NO_SECURITY_EXTENSION
flag in themsPKI-Enrollment-Flag
value - Certificate specifies
Any Client
authentication EKU GenericWrite
over any account A to compromise any account B
Scenario
John@corp.local has GenericWrite over Jane@corp.local, and we want to compromise Administrator@corp.local. Jane@corp.local is allowed to enroll in the certificate template ESC9 that specifies the CT_FLAG_NO_SECURITY_EXTENSION flag in the msPKI-Enrollment-Flag value.
-
Obtain the hash of Jane with Shadow Credentials (using our GenericWrite)
-
Change the userPrincipalName of Jane to be Administrator.
leave the
@corp.local
part -
Request the vulnerable certificate template ESC9 from Jane's account.
-
Restore userPrincipalName of Jane to Jane@corp.local.
-
Authenticate with the certificate and receive the NT hash of the Administrator@corp.local user.