H3-2026-0004¶

Active Directory Certificate Services Misconfiguration: NTLM Relay to AD CS RPC Endpoint

Description¶

Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. The Certificate Authority does not enforce encryption for ICertPassage Remote Protocol (ICPR) requests (IF_ENFORCEENCRYPTICERTREQUEST flag not set). Using NTLM relay, an attacker on a compromised machine can impersonate any inbound-NTLM-authenticating AD account by relaying to the CA's RPC endpoint to request a client authentication certificate.

Impact¶

If an attacker is able to conduct a man-in-the-middle attack and relay NTLM authentication to the CA's RPC endpoint, they can request an authentication certificate for a privileged domain user.

References¶

• Compass Security - Relaying to AD Certificate Services over RPC (ESC11)
• Certified Pre-Owned: Abusing Active Directory Certificate Services
• MITRE ATT&CK Technique: T1649: Steal or Forge Authentication Certificates