{"id":28559894,"url":"https://github.com/ghostpack/pspkiaudit","last_synced_at":"2025-06-10T09:06:34.809Z","repository":{"id":38343572,"uuid":"377651061","full_name":"GhostPack/PSPKIAudit","owner":"GhostPack","description":"PowerShell toolkit for AD CS auditing based on the PSPKI toolkit.","archived":false,"fork":false,"pushed_at":"2024-02-28T15:10:15.000Z","size":827,"stargazers_count":850,"open_issues_count":5,"forks_count":115,"subscribers_count":32,"default_branch":"main","last_synced_at":"2025-04-15T14:42:34.964Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"ms-pl","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GhostPack.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"License.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-06-16T23:18:49.000Z","updated_at":"2025-04-12T18:04:01.000Z","dependencies_parsed_at":"2024-03-31T08:34:17.432Z","dependency_job_id":"79c2e4ca-031d-4d41-a0ea-193fe4b3b4f5","html_url":"https://github.com/GhostPack/PSPKIAudit","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FPSPKIAudit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FPSPKIAudit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FPSPKIAudit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FPSPKIAudit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GhostPack","download_url":"https://codeload.github.com/GhostPack/PSPKIAudit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FPSPKIAudit/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259043764,"owners_count":22797161,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-10T09:06:33.992Z","updated_at":"2025-06-10T09:06:34.783Z","avatar_url":"https://github.com/GhostPack.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PSPKIAudit\n\nPowerShell toolkit for auditing Active Directory Certificate Services (AD CS).\n\nIt is built on top of [PKISolution](http://pkisolutions.com/)'s [PSPKI](https://github.com/PKISolutions/PSPKI) toolkit (Microsoft Public License). This repo contains a newer version of PSPKI than what's available in the PSGallery (see the `PSPKI` directory). [Vadims Podans](https://github.com/Crypt32) (the creator of PSPKI) graciously provided this version as it contains patches for several bugs.\n\n**This README is only meant as a starting point- for complete details and defensive guidance, please see the \"[Certified Pre-Owned](https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf)\" whitepaper.**\n\nThe module contains the following main functions: \n1. [Invoke-PKIAudit](#auditing-ad-cs-misconfigurations) - Audits the current Forest's AD CS settings, primarily analyzing the CA server and published templates for potential privilege escalation opportunities.\n2. [Get-CertRequest](#triaging-existing-issued-certificate-requests) - Examines a CA's issued certificates by querying the CA's database. Primary intention is to discover certificate requests that may have abused a certificate template privilege escalation vulnerability. In addition, if a user or computer is compromised, incident responders can use it to find certificates the CA server had issued to the compromised user/computer (which should then be revoked).\n\n**WARNING:** This code is beta! We are confident that `Invoke-PKIAudit` will not impact the environment as the amount of data it queries is quite limited. We have not done rigorous testing with `Get-CertRequest` against typical CA server workloads. `Get-CertRequest` queries the CA's database directly and may have to process thousands of results, which might impact performance.\n\n**IF THERE ARE NO RESULTS, THIS IS NOT A GUARANTEE THAT YOUR ENVIRONMENT IS SECURE!!**\n\n**WE ALSO CANNOT GUARANTEE THAT OUR MITIGATION ADVICE WILL MAKE YOUR ENVIRONMENT SECURE OR WILL NOT DISRUPT OPERATIONS!**\n\nIt is your responsibility to talk to your Active Directory/PKI/Architecture team(s) to determine the best mitigations for your environment.\n\n*If the code breaks, or we missed something, please submit an issue or pull request for a fix!*\n\n- [Setup](#setup)\n- [Auditing AD CS Misconfigurations](#auditing-ad-cs-misconfigurations)\n  - [Output Explanation](#output-explanation)\n  - [ESC1 - Misconfigured Certificate Templates](#esc1---misconfigured-certificate-templates)\n  - [ESC2 - Misconfigured Certificate Templates](#esc2---misconfigured-certificate-templates)\n  - [ESC3 - Misconfigured Enrollment Agent Templates](#esc3---misconfigured-enrollment-agent-templates)\n  - [ESC4 - Vulnerable Certificate Template Access Control](#esc4---vulnerable-certificate-template-access-control)\n  - [ESC5 - Vulnerable PKI AD Object Access Control](#esc5---vulnerable-pki-ad-object-access-control)\n  - [ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2](#esc6---editf_attributesubjectaltname2)\n  - [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control)\n  - [ESC8 - NTLM Relay to AD CS HTTP Endpoints](#esc8---ntlm-relay-to-ad-cs-http-endpoints)\n  - [Misc - Explicit Mappings](#misc---explicit-mappings)\n- [Triaging Existing Issued Certificate Requests](#triaging-existing-issued-certificate-requests)\n\n\n# Setup\n\n## Requirements \u003c!-- omit in toc --\u003e\nInstall the following on a Windows machine using an elevated PowerShell prompt (PowerShell verion 5.1 or above):\n* [RSAT's](https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/remote-server-administration-tools) **Certificate Services** and **Active Directory** features. Install with the following command:\n```\nGet-WindowsCapability -Online -Name \"Rsat.*\" | where Name -match \"CertificateServices|ActiveDirectory\" | Add-WindowsCapability -Online\n```\n* The [PSPKI PowerShell module](https://github.com/PKISolutions/PSPKI). Install with the following command:\n```\nInstall-Module -Name PSPKI\n```\n\n## Import \u003c!-- omit in toc --\u003e\nDownload the module extract it to a folder. Then, import the module using the following commands:\n\n```\ncd PSPKIAudit\nGet-ChildItem -Recurse | Unblock-File\n\nImport-Module .\\PSPKIAudit.psd1\n```\n\n# Auditing AD CS Misconfigurations\n\nRunning `Invoke-PKIAudit` will run all auditing checks against AD CS in the current domain, including enumerating various Certificate Authority and Certificate Template settings. To audit a specific CA, you can run `Invoke-PKIAudit -CAComputerName CA.DOMAIN.COM` or `Invoke-PKIAudit -CAName X-Y-Z`.\n\nAny misconfigurations (ESC1-8) will appear as properties on the CA/template results displayed to identify the specific misconfiguration found.\n\nIf you want to change the groups/users used to test enrollment/access control, modify the `$CommonLowprivPrincipals` regex at the top of `Invoke-PKIAudit.ps1`\n\nIf you want to export all CA information to a csv, run: `Get-AuditCertificateAuthority [-CAComputerName CA.DOMAIN.COM | -CAName X-Y-Z] | Export-Csv -NoTypeInformation CAs.csv`\n\nIf you want to export ALL published template information to a csv (not just vulnerable templates), run: `Get-AuditCertificateTemplate [-CAComputerName CA.DOMAIN.COM | -CAName X-Y-Z] | Export-Csv -NoTypeInformation templates.csv`\n\n\n## Output Explanation\n\nThere are two main sections of output, details about discovered CAs and details about potentially vulnerable templates.\n\nFor certificate authority results:\n\n| Certificate Authority Property | Description                                                        |\n| ------------------------------ | ------------------------------------------------------------------ |\n| ComputerName                   | The system the CA is running on.                                   |\n| CAName                         | The name of the CA.                                                |\n| ConfigString                   | The full COMPUTER\\CA_NAME configuration string.                    |\n| IsRoot                         | If the CA is a root CA.                                            |\n| AllowsUserSuppliedSans         | If the CA has the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag set.       |\n| VulnerableACL                  | Whether the CA has a vulnerable ACL setting.                       |\n| EnrollmentPrincipals           | Principals who have the `Enroll` privilege at the CA level.        |\n| EnrollmentEndpoints            | The CA's web services enrollment endpoints.                        |\n| NTLMEnrollmentEndpoints        | The CA's web services enrollment endpoints that have NTLM enabled. |\n| DACL                           | The full access control information.                               |\n| Misconfigurations              | ESCX indicating the specific misconfiguration present (if any).    |\n\n\nFor certificate template results:\n\n| Property                | Description                                                                                              |\n| ----------------------- | -------------------------------------------------------------------------------------------------------- |\n| CA                      | The full CA ConfigString the template is published on (null for not published).                          |\n| Name                    | The template name.                                                                                       |\n| SchemaVersion           | The schema version (1/2/3) of the template.                                                              |\n| OID                     | The unique object identifier for the template.                                                           |\n| VulnerableTemplateACL   | True if the template has a vulnerable ACL setting.                                                       |\n| LowPrivCanEnroll        | True if low-privileged users can enroll in the template.                                                 |\n| EnrolleeSuppliesSubject | True if the `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` flag is present (i.e., users can supply arbitrary SANs). |\n| EnhancedKeyUsage        | The usage EKUs enabled in the template.                                                                  |\n| HasAuthenticationEku    | True if the template has an EKU that allows for authentication.                                          |\n| HasDangerousEku         | True if the template has a \"dangerous\" (Any Purpose or null) EKU.                                        |\n| EnrollmentAgentTemplate | True if the template has the \"Certificate Request Agent\" EKU.                                            |\n| CAManagerApproval       | True if manager approvals are needed for enrollment.                                                     |\n| IssuanceRequirements    | Authorized signature information.                                                                        |\n| ValidityPeriod          | How long the certificate is valid for.                                                                   |\n| RenewalPeriod           | The renewal period for the certificate.                                                                  |\n| Owner                   | The principal who owns the certificate.                                                                  |\n| DACL                    | The full access control information.                                                                     |\n| Misconfigurations       | ESCX indicating the specific misconfiguration present (if any).                                          |\n\n\n## ESC1 - Misconfigured Certificate Templates\n\n### Details \u003c!-- omit in toc --\u003e\n\nThis privilege escalation scenario occurs when the following conditions are met:\n\n1. **The Enterprise CA grants low-privileged users enrollment rights.** The Enterprise CA's configuration must permit low-privileged users the ability to request certificates. See the \"Background - Enrollment\" section at the beginning of the whitepaper paper for more details.\n\n2. **Manager approval is disabled.** This setting necessitates that a user with certificate \"manager\" permissions review and approve the requested certificate before the certificate is issued. See the \"Background - Issuance Requirements\" section at the beginning of the whitepaper paper for more details.\n\n3. **No authorized signatures are required.** This setting requires any CSR to be signed by an existing authorized certificate. See the \"Background - Issuance Requirements\" section at the beginning of the whitepaper for more details.\n\n4. **An overly permissive certificate template security descriptor grants certificate enrollment rights to low-privileged users.** Having certificate enrollment rights allows a low-privileged attacker to request and obtain a certificate based on the template. Enrollment Rights are granted via the certificate template AD object's security descriptor.\n\n5. **The certificate template defines EKUs that enable authentication.** Applicable EKUs include Client Authentication (OID 1.3.6.1.5.5.7.3.2), PKINIT Client Authentication (OID 1.3.6.1.5.2.3.4), or Smart Card Logon (OID 1.3.6.1.4.1.311.20.2.2). \n\n6. **The certificate template allows requesters to specify a subjectAltName (SAN) in the CSR.** If a requester can specify the SAN in a CSR, the requester can request a certificate as anyone (e.g., a domain admin user). The certificate template's AD object specifies if the requester can specify the SAN in its mspki-certificate-name-flag property. The mspki-certificate-name-flag property is a bitmask and if the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is present, a requester can specify the SAN.\n\n**TL;DR** This situation means that a unprivileged users can request a certificate that can be used for domain authentication, where they can specify an arbitrary alternative name (like a domain admin). This can result in a working certificate for an elevated user like a domain admin!\n\n\n### Example \u003c!-- omit in toc --\u003e\n\n```\n[!] Potentially vulnerable Certificate Templates:\n\nCA                      : dc.theshire.local\\theshire-DC-CA\nName                    : ESC1Template\nSchemaVersion           : 2\nOID                     : ESC1 Template (1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.10657968.9897558)\nVulnerableTemplateACL   : False\nLowPrivCanEnroll        : True\nEnrolleeSuppliesSubject : True\nEnhancedKeyUsage        : Client Authentication (1.3.6.1.5.5.7.3.2)|Secure Email (1.3.6.1.5.5.7.3.4)|Encrypting File System (1.3.6.1.4.1.311.10.3.4)\nHasAuthenticationEku    : True\nHasDangerousEku         : False\nEnrollmentAgentTemplate : False\nCAManagerApproval       : False\nIssuanceRequirements    : [Issuance Requirements]\n                            Authorized signature count: 0\n                            Reenrollment requires: same criteria as for enrollment.\nValidityPeriod          : 1 years\nRenewalPeriod           : 6 weeks\nOwner                   : THESHIRE\\localadmin\nDACL                    : NT AUTHORITY\\Authenticated Users (Allow) - Read\n                          THESHIRE\\Domain Admins (Allow) - Read, Write, Enroll\n                          THESHIRE\\Domain Users (Allow) - Enroll\n                          THESHIRE\\Enterprise Admins (Allow) - Read, Write, Enroll\n                          THESHIRE\\localadmin (Allow) - Read, Write\nMisconfigurations       : ESC1\n```\n\n### Mitigations \u003c!-- omit in toc --\u003e\n\nThere are a few options. First, right click the affected certificate template in the Certificate Templates Console (certtmpl.msc) and click \"Properties\"\n\n1. Remove the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag via \"Subject Name\", unchecking \"Supply in Request\".\n   * This prevents arbitrary SAN specification in the CSR. **Unless alternate names are really needed for this template, this is probably the best fix.**\n2. Remove the \"Client Authentication\" and/or \"Smart Card Logon\" EKUS via \"Extensions\" -\u003e \"Application Policies\".\n   * This prevents domain authentication with this template.\n3. Enable **\"CA Certificate Manager Approval\"** in \"Issuance Requirements\".\n   * This puts requests for this template in the \"Pending Requests\" queue that must be manually approved by a certificate manager.\n4. Enable **Authorized Signatures\"** in \"Issuance Requirements\" (if you know what you're doing).\n   * This forces CSRs to be co-signed by an Enrollment Agent certificate.\n5. Remove the ability for low-privileged users from enrolling in this template via \"Security\" and removing the appropriate **Enroll** privilege.\n\n## ESC2 - Misconfigured Certificate Templates\n\n### Details \u003c!-- omit in toc --\u003e\n\nThis privilege escalation scenario occurs when the following conditions are met:\n\n1. **The Enterprise CA grants low-privileged users enrollment rights.** Details are the same as in ESC1.\n\n2. **Manager approval is disabled.** Details are the same as in ESC1.\n\n3. **No authorized signatures are required.** Details are the same as in ESC1.\n\n4. **An overly permissive certificate template security descriptor grants certificate enrollment rights to low-privileged users.** Details are the same as in ESC1.\n\n5. **The certificate template defines Any Purpose EKUs or no EKU.** The Any Purpose (OID 2.5.29.37.0) can be used for (surprise!) any purpose, including client authentication. If no EKUs are specified - i.e. the pkiextendedkeyusage is empty or the attribute doesn't exist - then the certificate is the equivalent of a subordinate CA certificate and can be used for anything.\n\n**TL;DR** This is very similar to ESC1, however with the Any Purpose or no EKU, the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag does not need to be present.\n\n### Example \u003c!-- omit in toc --\u003e\n\n```\n[!] Potentially vulnerable Certificate Templates:\n\nCA                      : dc.theshire.local\\theshire-DC-CA\nName                    : ESC2Template\nSchemaVersion           : 2\nOID                     : ESC2 Template (1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.7730030.4389735)\nVulnerableTemplateACL   : False\nLowPrivCanEnroll        : True\nEnrolleeSuppliesSubject : False\nEnhancedKeyUsage        :\nHasAuthenticationEku    : True\nHasDangerousEku         : True\nEnrollmentAgentTemplate : False\nCAManagerApproval       : False\nIssuanceRequirements    : [Issuance Requirements]\n                            Authorized signature count: 0\n                            Reenrollment requires: same criteria as for enrollment.\nValidityPeriod          : 1 years\nRenewalPeriod           : 6 weeks\nOwner                   : THESHIRE\\localadmin\nDACL                    : NT AUTHORITY\\Authenticated Users (Allow) - Read\n                          THESHIRE\\Domain Admins (Allow) - Read, Write, Enroll\n                          THESHIRE\\Domain Users (Allow) - Enroll\n                          THESHIRE\\Enterprise Admins (Allow) - Read, Write, Enroll\n                          THESHIRE\\localadmin (Allow) - Read, Write\nMisconfigurations       : ESC2\n```\n\n### Mitigations \u003c!-- omit in toc --\u003e\n\nThere are a few options. First, right click the affected certificate template in the Certificate Templates Console (certtmpl.msc) and click \"Properties\"\n\n1. Remove the ability for low-privileged users from enrolling in this template via \"Security\" and removing the appropriate **Enroll** privilege.\n   * This is likely the best fix, as these sensitive EKUs should not be available to low-privileged users!\n2. Enable **\"CA Certificate Manager Approval\"** in \"Issuance Requirements\".\n   * This puts requests for this template in the \"Pending Requests\" queue that must be manually approved by a certificate manager.\n3. Enable **Authorized Signatures\"** in \"Issuance Requirements\" (if you know what you're doing).\n   * This forces CSRs to be co-signed by an Enrollment Agent certificate.\n\n\n## ESC3 - Misconfigured Enrollment Agent Templates\n\n### Details \u003c!-- omit in toc --\u003e\n\nThis privilege escalation scenario occurs when the following conditions are met:\n\n1. **The Enterprise CA grants low-privileged users enrollment rights.** Details are the same as in ESC1.\n\n2. **Manager approval is disabled.** Details are the same as in ESC1.\n\n3. **No authorized signatures are required.** Details are the same as in ESC1.\n\n4. **An overly permissive certificate template security descriptor grants certificate enrollment rights to low-privileged users.** Details are the same as in ESC1.\n\n5. **The certificate template defines the Certificate Request Agent EKU.** The Certificate Request Agent EKU (OID 1.3.6.1.4.1.311.20.2.1) allows a principal to enroll for _another_ certificate template on behalf of another user.\n\n6. **Enrollment agents restrictions are not implemented on the CA.**\n\n**TL;DR** Someone with a Certificate Request (aka Enrollment) Agent certificate can enroll in other certificates on behalf of any user in the domain, for any Schema Version 1 template or any Schema Version 2+ template that requires the appropriate \"Authorized Signatures/Application Policy\" Issuance Requirement, unless \"Enrollment Agent Restrictions\" are implemented at the CA level.\n\n### Example \u003c!-- omit in toc --\u003e\n\n```\n[!] Potentially vulnerable Certificate Templates:\n\nCA                      : dc.theshire.local\\theshire-DC-CA\nName                    : ESC3Template\nSchemaVersion           : 2\nOID                     : ESC3 Template (1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.4300342.10028552)\nVulnerableTemplateACL   : False\nLowPrivCanEnroll        : True\nEnrolleeSuppliesSubject : False\nEnhancedKeyUsage        : Certificate Request Agent (1.3.6.1.4.1.311.20.2.1)\nHasAuthenticationEku    : False\nHasDangerousEku         : False\nEnrollmentAgentTemplate : True\nCAManagerApproval       : False\nIssuanceRequirements    : [Issuance Requirements]\n                            Authorized signature count: 0\n                            Reenrollment requires: same criteria as for enrollment.\nValidityPeriod          : 1 years\nRenewalPeriod           : 6 weeks\nOwner                   : THESHIRE\\localadmin\nDACL                    : NT AUTHORITY\\Authenticated Users (Allow) - Read\n                          THESHIRE\\Domain Admins (Allow) - Read, Write, Enroll\n                          THESHIRE\\Domain Users (Allow) - Enroll\n                          THESHIRE\\Enterprise Admins (Allow) - Read, Write, Enroll\n                          THESHIRE\\localadmin (Allow) - Read, Write\nMisconfigurations       : ESC3\n```\n\n### Mitigations \u003c!-- omit in toc --\u003e\n\nThere are a few options. First, right click the affected certificate template in the Certificate Templates Console (certtmpl.msc) and click \"Properties\"\n\n1. Remove the ability for low-privileged users from enrolling in this template via \"Security\" and removing the appropriate **Enroll** privilege.\n   * This is likely the best fix, as this sensitive EKU should not be available to low-privileged users!\n2. Enable **\"CA Certificate Manager Approval\"** in \"Issuance Requirements\".\n   * This puts requests for this template in the \"Pending Requests\" queue that must be manually approved by a certificate manager.\n\nYou can also implement \"Enrollment Agent Restrictions\" via the Certification Authority console (certsrv.msc). On the affected CA, right click the CA name and click \"Properties\" -\u003e \"Enrollment Agents\". There is more information on this approach [here](https://social.technet.microsoft.com/wiki/contents/articles/10942.ad-cs-security-guidance.aspx#Establish_Restricted_Enrollment_Agents).\n\n\n## ESC4 - Vulnerable Certificate Template Access Control\n\n### Details \u003c!-- omit in toc --\u003e\n\nCertificate templates are securable objects in Active Directory, meaning they have a security descriptor that specifies which Active Directory principals have specific permissions over the template. Templates that have vulnerable access control grant unintended principals the ability to modify settings in the template. With modification rights, an attacker can set vulnerable EKUs (ESC1-ESC3), flip settings like CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT (ESC1), and/or remove \"Issuance Requirements\" like manager approval or authorized signatures.\n\n### Example \u003c!-- omit in toc --\u003e\n\n```\n[!] Potentially vulnerable Certificate Templates:\n\nCA                      : dc.theshire.local\\theshire-DC-CA\nName                    : ESC4Template\nSchemaVersion           : 2\nOID                     : ESC4 Template (1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.1768738.6205646)\nVulnerableTemplateACL   : True\nLowPrivCanEnroll        : True\nEnrolleeSuppliesSubject : False\nEnhancedKeyUsage        : Client Authentication (1.3.6.1.5.5.7.3.2)|Secure Email (1.3.6.1.5.5.7.3.4)|Encrypting File System (1.3.6.1.4.1.311.10.3.4)\nHasAuthenticationEku    : True\nHasDangerousEku         : False\nEnrollmentAgentTemplate : False\nCAManagerApproval       : False\nIssuanceRequirements    : [Issuance Requirements]\n                            Authorized signature count: 0\n                            Reenrollment requires: same criteria as for enrollment.\nValidityPeriod          : 1 years\nRenewalPeriod           : 6 weeks\nOwner                   : THESHIRE\\localadmin\nDACL                    : NT AUTHORITY\\Authenticated Users (Allow) - Read, Write\n                          THESHIRE\\Domain Admins (Allow) - Read, Write, Enroll\n                          THESHIRE\\Domain Users (Allow) - Read, Enroll\n                          THESHIRE\\Enterprise Admins (Allow) - Read, Write, Enroll\n                          THESHIRE\\localadmin (Allow) - Read, Write\nMisconfigurations       : ESC4\n```\n\n### Mitigations \u003c!-- omit in toc --\u003e\n\nRight click the affected certificate template in the Certificate Templates Console (certtmpl.msc) and click \"Properties\".\n\nGo to \"Security\" and remove the vulnerable access control entry.\n\n\n## ESC5 - Vulnerable PKI AD Object Access Control\n\n### Details \u003c!-- omit in toc --\u003e\n\nA number of objects outside of certificate templates and the certificate authority itself can have a security impact on the entire AD CS system.\n\nThese possibilities include (but are not limited to):\n- CA server's AD computer object (i.e., compromise through RBCD)\n- The CA server's RPC/DCOM server\n- PKI-related AD objects. Any descendant AD object or container in the container CN=Public Key Services,CN=Services,CN=Configuration,DC=\u003cCOMPANY\u003e,DC=\u003cCOM\u003e (e.g., the Certificate Templates container, Certification Authorities container, the NTAuthCertificates object, etc.)\n\n*Due to the broad scope of this specific misconfiguration, we do not currently check for ESC5 by default in this toolkit.*\n\nAccess paths into the CA server itself can be found in current BloodHound collection.\n\nThe CA server's RPC/DCOM server security require manual analysis.\n\nThe following commands outputs a list of users and the control/edit right the user has over a PKI-related AD object.\n```\n$Controllers = Get-AuditPKIADObjectControllers\nFormat-PKIAdObjectControllers $Controllers\n```\n\nEnsure all principals in the results absolutely require the listed rights. Often times non-tier 0 accounts (be it low privileged users/groups or lower-privileged non-AD server admins) have control of PKI-related AD objects.\n\n### Example \u003c!-- omit in toc --\u003e\n```\nTHESHIRE\\Cert Publishers (S-1-5-21-3022474190-4230777124-3051344698-517)\n    GenericAll         CN=THESHIRE-DC-CA,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL\n    GenericAll         CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL\n    GenericAll         CN=DC,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL\n    GenericAll         CN=THESHIRE-DC-CA,CN=DC,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL\n\nTHESHIRE\\DC$ (S-1-5-21-3022474190-4230777124-3051344698-1000)\n    WriteOwner         CN=THESHIRE-DC-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL\n    GenericAll         CN=THESHIRE-DC-CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL\n    GenericAll         CN=THESHIRE-DC-CA,CN=DC,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL\n    GenericAll         CN=THESHIRE-DC-CA,CN=KRA,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL\n\nTHESHIRE\\Domain Computers (S-1-5-21-3022474190-4230777124-3051344698-515)\n    WriteDacl          CN=MisconfiguredTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL\n\nTHESHIRE\\Domain Users (S-1-5-21-3022474190-4230777124-3051344698-513)\n    WriteAllProperties CN=MisconfiguredTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL\n\nTHESHIRE\\john-sa (S-1-5-21-3022474190-4230777124-3051344698-1602)\n    GenericAll         CN=MisconfiguredTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL\n\nNT AUTHORITY\\Authenticated Users (S-1-5-11)\n    Owner              CN=MisconfiguredTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL\n    WriteOwner         CN=MisconfiguredTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL\n```\n\n### Mitigations \u003c!-- omit in toc --\u003e\n\nRemove any vulnerable access control entries through Active Directory Users and Computers (*dsa.msc*) or ADSIEdit (*adsiedit.msc*) for configuration objects.\n\n\n## ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 \n\n### Details \u003c!-- omit in toc --\u003e\n\nIf the **EDITF_ATTRIBUTESUBJECTALTNAME2** flag is flipped in the configuration for a Certificate Authority, *ANY* certificate request can specify arbitrary Subject Alternative Names (SANs). This means that ANY template configured for domain authentication that also allows unprivileged users to enroll (e.g., the default **User** template) can be abused to obtain a certificate that allows us to authenticate as a domain admin (or any other active user/machine). \n\n**THIS SETTING SHOULD ABSOLUTELY NOT BE SET IN YOUR ENVIRONMENT.**\n\n### Example \u003c!-- omit in toc --\u003e\n\n```\n=== Certificate Authority ===\n\n\nComputerName            : dc.theshire.local\nCAName                  : theshire-DC-CA\nConfigString            : dc.theshire.local\\theshire-DC-CA\nIsRoot                  : True\nAllowsUserSuppliedSans  : True\nVulnerableACL           : False\nEnrollmentPrincipals    : THESHIRE\\Domain Users\n                          THESHIRE\\Domain Computers\n                          THESHIRE\\certmanager\n                          THESHIRE\\certadmin\n                          THESHIRE\\Nested3\nEnrollmentEndpoints     : \nNTLMEnrollmentEndpoints : \nDACL                    : BUILTIN\\Administrators (Allow) - ManageCA, ManageCertificates\n                          THESHIRE\\Domain Admins (Allow) - ManageCA, ManageCertificates\n                          THESHIRE\\Domain Users (Allow) - Read, Enroll\n                          THESHIRE\\Domain Computers (Allow) - Enroll\n                          THESHIRE\\Enterprise Admins (Allow) - ManageCA, ManageCertificates\n                          THESHIRE\\certmanager (Allow) - ManageCertificates, Enroll\n                          THESHIRE\\certadmin (Allow) - ManageCA, Enroll\n                          THESHIRE\\Nested3 (Allow) - ManageCertificates, Enroll\nMisconfigurations       : ESC6\n\n[!] The above CA is misconfigured!\n\n...(snip)...\n\n[!] EDITF_ATTRIBUTESUBJECTALTNAME2 set on this CA, the following templates may be vulnerable:\n\nCA                      : dc.theshire.local\\theshire-DC-CA\nName                    : User\nSchemaVersion           : 1\nOID                     : 1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.1.1\nVulnerableTemplateACL   : False\nLowPrivCanEnroll        : True\nEnrolleeSuppliesSubject : False\nEnhancedKeyUsage        : Encrypting File System (1.3.6.1.4.1.311.10.3.4)|Secure Email (1.3.6.1.5.5.7.3.4)|Client Authentication (1.3.6.1.5.5.7.3.2)\nHasAuthenticationEku    : True\nHasDangerousEku         : False\nEnrollmentAgentTemplate : False\nCAManagerApproval       : False\nIssuanceRequirements    : [Issuance Requirements]\n                            Authorized signature count: 0\n                            Reenrollment requires: same criteria as for enrollment.\nValidityPeriod          : 1 years\nRenewalPeriod           : 6 weeks\nOwner                   : THESHIRE\\Enterprise Admins\nDACL                    : NT AUTHORITY\\Authenticated Users (Allow) - Read\n                          THESHIRE\\Domain Admins (Allow) - Read, Write, Enroll\n                          THESHIRE\\Domain Users (Allow) - Read, Enroll\n                          THESHIRE\\Enterprise Admins (Allow) - Read, Write, Enroll\nMisconfigurations       :\n\n```\n\n### Mitigations \u003c!-- omit in toc --\u003e\n\nImmediately remove this flag and restart the affected certificate authority from a PowerShell prompt with elevated rights against the CA server:\n\n```\nPS C:\\\u003e certutil -config \"CA_HOST\\CA_NAME\" -setreg policy\\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2\n\nPS C:\\\u003e Get-Service -ComputerName CA_HOST certsvc | Restart-Service -Force\n```\n\n\n## ESC7 - Vulnerable Certificate Authority Access Control\n\n### Details \u003c!-- omit in toc --\u003e\n\nOutside of certificate templates, a certificate authority itself has a set of permissions that secure various CA actions. These permissions can be accessed from certsrv.msc, right clicking a CA, selecting properties, and switching to the Security tab.\n\nThere are two rights that are security sensitive and dangerous if unintended principals possess them:\n\n* **ManageCA** (aka \"CA Administrator\") - allows for administrative CA actions, including (remotely) flipping the EDITF_ATTRIBUTESUBJECTALTNAME2 bit, resulting in ESC6.\n* **ManageCertificates** (aka \"Certificate Manager/Officer\") - allows the principal to approve pending certificate requests, negating the \"Manager Approval\" Issuance Requirement/protection\n\n### Example \u003c!-- omit in toc --\u003e\n\n```\n=== Certificate Authority ===\n\n\nComputerName            : dc.theshire.local\nCAName                  : theshire-DC-CA\nConfigString            : dc.theshire.local\\theshire-DC-CA\nIsRoot                  : True\nAllowsUserSuppliedSans  : False\nVulnerableACL           : True\nEnrollmentPrincipals    : THESHIRE\\Domain Users\n                          THESHIRE\\Domain Computers\n                          THESHIRE\\certmanager\n                          THESHIRE\\certadmin\n                          THESHIRE\\Nested3\nEnrollmentEndpoints     : \nNTLMEnrollmentEndpoints : \nDACL                    : BUILTIN\\Administrators (Allow) - ManageCA, ManageCertificates\n                          THESHIRE\\Domain Admins (Allow) - ManageCA, ManageCertificates\n                          THESHIRE\\Domain Users (Allow) - ManageCA, Read, Enroll\n                          THESHIRE\\Domain Computers (Allow) - Enroll\n                          THESHIRE\\Enterprise Admins (Allow) - ManageCA, ManageCertificates\n                          THESHIRE\\certmanager (Allow) - ManageCertificates, Enroll\n                          THESHIRE\\certadmin (Allow) - ManageCA, Enroll\n                          THESHIRE\\Nested3 (Allow) - ManageCertificates, Enroll\nMisconfigurations       : ESC7\n\n[!] The above CA is misconfigured!\n```\n\n### Mitigations \u003c!-- omit in toc --\u003e\n\nOpen up the Certification Authority console (certsrv.msc) on the affected CA, right click the CA name and click \"Properties\".\n\nGo to \"Security\" and remove the vulnerable access control entry.\n\n\n## ESC8 - NTLM Relay to AD CS HTTP Endpoints\n\n**NOTE:** this particular check in PSPKIAudit only checks if NTLM is present for any published enrollment endpoints. *It does NOT check if Extended Protection for Authentication is present for these NTLM-enabled endoints, so false positives may occur!*\n\n\u003e [!IMPORTANT]  \n\u003e NTLM authentication is disabled for accounts in the Protected Users group. This check may fail if running PSPKIAudit while logged in as a Protected User.\n\n### Details \u003c!-- omit in toc --\u003e\n\nAD CS supports several HTTP-based enrollment methods via additional AD CS server roles that administrators can install. These HTTP-based certificate enrollment interfaces are all vulnerable NTLM relay attacks.\n\nUsing NTLM relay, an attacker on a compromised machine can impersonate any inbound-NTLM-authenticating AD account. While impersonating the victim account, an attacker could access these web interfaces and request a client authentication certificate based on the User or Machine certificate templates.\n\n\n### Example \u003c!-- omit in toc --\u003e\n\n```\n=== Certificate Authority ===\n\n\nComputerName            : dc.theshire.local\nCAName                  : theshire-DC-CA\nConfigString            : dc.theshire.local\\theshire-DC-CA\nIsRoot                  : True\nAllowsUserSuppliedSans  : False\nVulnerableACL           : False\nEnrollmentPrincipals    : THESHIRE\\Domain Users\n                          THESHIRE\\Domain Computers\n                          THESHIRE\\certmanager\n                          THESHIRE\\certadmin\n                          THESHIRE\\Nested3\nEnrollmentEndpoints     : http://dc.theshire.local/certsrv/\nNTLMEnrollmentEndpoints : http://dc.theshire.local/certsrv/\nDACL                    : BUILTIN\\Administrators (Allow) - ManageCA, ManageCertificates\n                          THESHIRE\\Domain Admins (Allow) - ManageCA, ManageCertificates\n                          THESHIRE\\Domain Users (Allow) - Read, Enroll\n                          THESHIRE\\Domain Computers (Allow) - Enroll\n                          THESHIRE\\Enterprise Admins (Allow) - ManageCA, ManageCertificates\n                          THESHIRE\\certmanager (Allow) - ManageCertificates, Enroll\n                          THESHIRE\\certadmin (Allow) - ManageCA, Enroll\n                          THESHIRE\\Nested3 (Allow) - ManageCertificates, Enroll\nMisconfigurations       : ESC8\n\n[!] The above CA is misconfigured!\n```\n\n### Mitigations \u003c!-- omit in toc --\u003e\n\nEither remove the HTTP(S) enrollment endpoints, disable NTLM for the endopints, or enable Extended Protection for Authentication. See **Harden AD CS HTTP Endpoints – PREVENT8** in the whitepaper for more deatils.\n\n\n## Misc - Explicit Mappings\n\nAnother possible mitigation for some situations is to enforce explicit mappings for certificates. This disables the use of alternate SANs in certificates when authenticating to Active Directory.\n\nFor Kerberos, setting the **HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc ! UseSubjectAltName** key to 00000000 forces an explicit mapping. There are more details in [KB4043463](https://mskb.pkisolutions.com/kb/4043463).\n\nDisabling explicit mappings for SChannel is not really documented, but based on our research settings 0x1 or 0x2 to the **HKEY_LOCAL_MACHINE\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL ! CertificateMappingMethods** key appears to block SANs, but more testing is needed.\n\n\n# Triaging Existing Issued Certificate Requests\n\n**WARNING:** this functionality has been minimally tested in large environments!\n\n**Note:** see \"Monitor User/Machine Certificate Enrollments - DETECT1\" in the whitepaper for additional information and how to perform these searches with certutil.\n\nIf you want to examine existing issued certificate requests, for example to see if any requests specified arbitrary SANs, or were requested for specific templates/by specific principals, the `Get-CertRequest [-CAComputerName COMPUTER.DOMAIN.COM | -CAName X-Y-Z]` function builds on various PSPKI functions to give more contextual information.\n\nSpecifically, the raw Certificate Signing Request (CSR) is extracted for every currently issued certificate in the domain, and specific information (i.e., whether a SAN was specified, the requestor name/machine/process, etc.) is constructed from the request to enrich the CSR object.\n\nThe following flags can be useful:\n\n| Flag                        | Description                                                                                   |\n| --------------------------- | --------------------------------------------------------------------------------------------- |\n| **-HasSAN**                 | Only return issued certificates that has a Subject Alternative Name specified in the request. |\n| **-Requester DOMAIN\\USER**  | Only return issued certificate requests for the specific requesting user.                     |\n| **-Template TEMPLATE_NAME** | Only return return issued certificate requests for the specified template name.               |\n\n\u003cbr/\u003e\n\nTo export ALL issued certificate requests to csv, use `Get-CertRequest | Export-CSV -NoTypeInformation requests.csv`.\n\nHere is an example result entry that shows a situation where a Subject Alternative Name (SAN) was specified with Certify:\n\n```\nCA                       : dc.theshire.local\\theshire-DC-CA\nRequestID                : 4602\nRequesterName            : THESHIRE\\cody\nRequesterMachineName     : dev.theshire.local\nRequesterProcessName     : Certify.exe\nSubjectAltNamesExtension :\nSubjectAltNamesAttrib    : Administrator\nSerialNumber             : 55000011faef0fab5ffd7f75b30000000011fa\nCertificateTemplate      : ESC1 Template\n                           (1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.10657968.9897558)\nRequestDate              : 6/3/2021 5:54:51 PM\nStartDate                : 6/3/2021 5:44:51 PM\nEndDate                  : 6/3/2022 5:44:51 PM\n\nCA                       : dc.theshire.local\\theshire-DC-CA\nRequestID                : 4603\nRequesterName            : THESHIRE\\cody\nRequesterMachineName     : dev.theshire.local\nRequesterProcessName     : Certify.exe\nSubjectAltNamesExtension : Administrator\nSubjectAltNamesAttrib    :\nSerialNumber             : 55000011fb021b79cf7276c2de0000000011fb\nCertificateTemplate      : ESC1 Template\n                           (1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.10657968.9897558)\nRequestDate              : 6/3/2021 5:55:10 PM\nStartDate                : 6/3/2021 5:45:10 PM\nEndDate                  : 6/3/2022 5:45:10 PM\n```\n\nThe `SubjectAltNamesExtension` property means that the x509 SubjectAlternativeNames extension was used to specify the SAN, which happens for templates with the `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` flag. The `SubjectAltNamesAttrib` property means that x509 name/value pairs were used, which happens when specifying a SAN when the `EDITF_ATTRIBUTESUBJECTALTNAME2` CA flag is set.\n\nExisting issued certificates can be revoked using PSPKI's [Revoke-Certificate](https://www.pkisolutions.com/tools/pspki/Revoke-Certificate/) function:\n\n`PS C:\\\u003e Get-CertificationAuthority \u003cCAName\u003e | Get-IssuedRequest -RequestID \u003cX\u003e | Revoke-Certificate -Reason \"KeyCompromise\"`\n\nApplicable values for -Reason are \"KeyCompromise\", \"CACompromise\", and \"Unspecified\".\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fghostpack%2Fpspkiaudit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fghostpack%2Fpspkiaudit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fghostpack%2Fpspkiaudit/lists"}