Merge pull request #1088 from HackTricks-wiki/research_update_src_windows-hardening_active-directory-methodology_ad-certificates_20250710_083127

carlospolop · web-flow · commit 65bc776dad11 · 2025-07-10T12:03:08.000+02:00
Add content: Research Update Enhanced src/windows-hardening/active-direct...
diff --git a/src/windows-hardening/active-directory-methodology/ad-certificates.md b/src/windows-hardening/active-directory-methodology/ad-certificates.md
@@ -113,20 +113,53 @@ Certify.exe cas
 # Identify vulnerable certificate templates with Certify
 Certify.exe find /vulnerable
 
-# Use Certipy for enumeration and identifying vulnerable templates
-certipy find -vulnerable -u john@corp.local -p Passw0rd -dc-ip 172.16.126.128
+# Use Certipy (>=4.0) for enumeration and identifying vulnerable templates
+certipy find -vulnerable -dc-only -u john@corp.local -p Passw0rd -target dc.corp.local
+
+# Request a certificate over the web enrollment interface (new in Certipy 4.x)
+certipy req -web -target ca.corp.local -template WebServer -upn john@corp.local -dns www.corp.local
 
 # Enumerate Enterprise CAs and certificate templates with certutil
 certutil.exe -TCAInfo
 certutil -v -dstemplate
 ```
 
+---
+
+## Recent Vulnerabilities & Security Updates (2022-2025)
+
+| Year | ID / Name | Impact | Key Take-aways |
+|------|-----------|--------|----------------|
+| 2022 | **CVE-2022-26923** – “Certifried” / ESC6 | *Privilege escalation* by spoofing machine account certificates during PKINIT. | Patch is included in the **May 10 2022** security updates. Auditing & strong-mapping controls were introduced via **KB5014754**; environments should now be in *Full Enforcement* mode. citeturn2search0 |
+| 2023 | **CVE-2023-35350 / 35351** | *Remote code-execution* in the AD CS Web Enrollment (certsrv) and CES roles. | Public PoCs are limited, but the vulnerable IIS components are often exposed internally. Patch as of **July 2023** Patch Tuesday. citeturn3search0 |
+| 2024 | **CVE-2024-49019** – “EKUwu” / ESC15 | Low-privileged users with enrollment rights could override **any** EKU or SAN during CSR generation, issuing certificates usable for client-authentication or code-signing and leading to *domain compromise*. | Addressed in **April 2024** updates. Remove “Supply in the request” from templates and restrict enrollment permissions. citeturn1search3 |
+
+### Microsoft hardening timeline (KB5014754)
+
+Microsoft introduced a three-phase rollout (Compatibility → Audit → Enforcement) to move Kerberos certificate authentication away from weak implicit mappings. As of **February 11 2025**, domain controllers automatically switch to **Full Enforcement** if the `StrongCertificateBindingEnforcement` registry value is not set. Administrators should:
+
+1. Patch all DCs & AD CS servers (May 2022 or later).
+2. Monitor Event ID 39/41 for weak mappings during the *Audit* phase.
+3. Re-issue client-auth certificates with the new **SID extension** or configure strong manual mappings before February 2025. citeturn2search0
+
+---
+
+## Detection & Hardening Enhancements
+
+* **Defender for Identity AD CS sensor (2023-2024)** now surfaces posture assessments for ESC1-ESC8/ESC11 and generates real-time alerts such as *“Domain-controller certificate issuance for a non-DC”* (ESC8) and *“Prevent Certificate Enrollment with arbitrary Application Policies”* (ESC15). Ensure sensors are deployed to all AD CS servers to benefit from these detections. citeturn5search0
+* Disable or tightly scope the **“Supply in the request”** option on all templates; prefer explicitly defined SAN/EKU values.
+* Remove **Any Purpose** or **No EKU** from templates unless absolutely required (addresses ESC2 scenarios).
+* Require **manager approval** or dedicated Enrollment Agent workflows for sensitive templates (e.g., WebServer / CodeSigning).
+* Restrict web enrollment (`certsrv`) and CES/NDES endpoints to trusted networks or behind client-certificate authentication.
+* Enforce RPC enrollment encryption (`certutil –setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQ`) to mitigate ESC11.
+
+---
+
 ## References
 
 - [https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf](https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf)
 - [https://comodosslstore.com/blog/what-is-ssl-tls-client-authentication-how-does-it-work.html](https://comodosslstore.com/blog/what-is-ssl-tls-client-authentication-how-does-it-work.html)
+- [https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16](https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16)
+- [https://advisory.eventussecurity.com/advisory/critical-vulnerability-in-ad-cs-allows-privilege-escalation/](https://advisory.eventussecurity.com/advisory/critical-vulnerability-in-ad-cs-allows-privilege-escalation/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
