H3-2022-0024

Active Directory Certificate Services Misconfiguration: NTLM Relay to AD CS HTTP Endpoint

Category	SECURITY_MISCONFIGURATION
Base Score	7.0

Description

Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. Principals can request PKI Certificates based on collections of enrollment policies and predefined certificate settings known as Certificate Templates. Using NTLM relay, an attacker on a compromised machine can impersonate any inbound-NTLM-authenticating AD account. While impersonating the victim account, an attacker could access the ADCS enrollment web interface and request a client authentication certificate based on the User or Machine certificate templates.

Impact

If an attacker is able to conduct a man-in-the-middle attack against the vulnerable ADCS web endpoint, they can request an authentication certificate for a privileged domain user.

References

• Certified Pre-Owned: Abusing Active Directory Certificate Services, Harden AD CS HTTP Endpoints - PREVENT8
• SpectreOps - Certified Pre-Owned
• Microsoft Security Response Center - Extended Protection for Authentication.