Provoking Defender for Identity suspicious certificate usage alerts

Tue, 11 Apr 2023 00:00:00 +0000

Microsoft Defender for Identity (MDI) has announced a new capability back in February to detect suspicious certificate usage for Kerberos authentication. It is already well-known, that Active Directory Certificate Services (ADCS) is a lucrative target for adversaries to achieve persistence in Active Directory as ADCS can be easily misconfigured resulting in an easy way to exploit those misconfigurations. In this post I want to show you how easy those misconfigurations can be abused and how and when such an attempt is detected by Microsoft Defender for Identity new detection capabilities for suspicious certificate usage.

What makes a vulnerable environment
#

To be vulnerable for the certificate abuse scenario I will demonstrate an environment needs to have the following conditions present:

ADCS Enterprise Certification Authority (CA)
CA certificate must be present in NTAuth store (default behaviour when an enterprise ADCS CA is installed)
At least one domain controller needs to have a kerberos authentication certificate enrolled
At least one vulnerable certificate template that meets one of the following criteria’s:
– “specify subject name in the request” flag enabled AND granting enroll permissions to low privileged principals like domain users or domain computers (or equivalent)
– grants modify permissions to low privileged principals like domain users or computers (or equivalent)

The first three conditions are usually present in a standard Active Directory deployment and provide key functionality for other services. Certificate templates are also a standard thing, but there it really comes down to the (mis)configuration and hardening. Specterops documents those very well and provides tools to check for potential misconfigurations¹.

ADCS on Nicola Suter

Provoking Defender for Identity suspicious certificate usage alerts

What makes a vulnerable environment #

What makes a vulnerable environment
#