AD CS Workflows MetaModule Report

The AD CS Workflows MetaModule performs automated attacks against an Active Directory Certificate Services (AD CS) environment. It follows a multi-step process where it gathers information, identifies misconfigurations, exploits those misconfigurations to elevate privileges, and finally generates a report of its findings.

To help you navigate through the data to find key information, the report is organized into the following sections:

• Cover Page
• Project Summary
• Template Configurations
• Discovered Certificate Authorities
• All Discovered Certificate Templates
• Issued Certificates
• Appendix: AD CS Background
• Appendix: Certificate Template Details
• Appendix: Definitions
• Appendix: Hardening Techniques
• Appendix: References

The Project Summary section briefly overviews what AD CS is and what the MetaModule did. It documents what techniques were selected for exploitation and what if any, post-exploitation action was taken.

The Template Configurations section lists each of the misconfigurations that the MetaModule searched for. It includes a description of each misconfiguration, how an attacker could leverage it, and how it can be remediated. Lastly, each section consists of information about the templates that matched this misconfiguration. This table notes the CA server that issues the certificate template as well as its name.

The result of each attempt to exploit the misconfiguration is noted in the "Status" column of the table.

• Untried - The MetaModule was not configured to exploit this misconfiguration, and thus, it did not attempt to issue any certificate.
• No Certificate Issued - No certificate could be issued by the MetaModule. The exploit technique failed, and the "Proof" column should be checked for details as to why.
• Certificate Issued - A certificate could be issued by abusing the misconfiguration. Either no post-exploitation action was taken, or it did not succeed, depending on the MetaModule's post-exploitation settings.
• Exploited - The certificate was issued and successfully used to perform a post-exploitation action.

Additional information about why the attempt failed or what was successfully accomplished is available in the "Proof" column of the table.

The Discovered Certificate Authorities section notes what CAs were identified in the environment.

The All Discovered Certificate Templates section is a table listing all certificate templates that were identified in the environment. It provides a consolidated view showing the templates, what CAs will issue them, and what misconfigurations were detected on them.

The Issued Certificates section is a table listing the certificates that were issued as part of the exploitation attempts. Some misconfigurations, such as ESC2 and ESC3, require an intermediate certificate to be issued as part of the exploitation process, but only the technique's final certificate is listed in this table. The "Identity" column lists the user who the certificate can authenticate as. This is almost always the Domain Administrator account; however, for some techniques, such as ESC13, it will be the configured user.

The AD CS Background appendix contains general information about what Active Directory Certificate Services is and what the MetaModule did and did not do.

The Certificate Template Details appendix contains verbose information about each certificate template that was identified, including the users and groups with edit and enrollment privileges.

The Definitions appendix contains terminology definitions used throughout the report.

The Hardening Techniques appendix contains common recommendations for hardening certificate template configurations. While the "Template Configurations" section contains remediation recommendations for the root cause of each misconfiguration, the hardening techniques section contains generalized recommendations that are applicable for multiple misconfigurations.

The references appendix contains references for further reading about the topics discussed within the report.