H3-2022-0021

Active Directory Certificate Services Domain Escalation via Vulnerable PKI AD Object Access Controls

Category	SECURITY_MISCONFIGURATION
Base Score	7.5

Description

Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. Principals can request PKI Certificates based on collections of enrollment policies and predefined certificate settings known as Certificate Templates. Several AD objects can have a security impact on the entire Enterprise AD CS system. Possibilities include the CA server's AD computer object, the CA server's RPC/DCOM server, or any descendant AD object or container in the container CN=Public Key Services,CN=Services,CN=Configuration,DC=,DC=. If a low-privileged attacker can gain control over any of these objects they can likely compromise the entire PKI system.

Impact

Compromise of enterprise PKI System, leading to Domain Privilege Escalation.

References

• Certified Pre-Owned: Abusing Active Directory Certificate Services
• SpectreOps - Certified Pre-Owned