Search Results

In this section we'll tackle an attack scenario that sees us compromising a Cloud Administrator account and wanting to get access to an application we don't have access to. This application has a Contributor RBAC role to the subscription so we'll end up assign...

Just like for the Cloud Administrator section, we'll walk though a small attack scenario which starts with us compromising a User Administrator account. Let's say there is a credential vault in a subscription we are not part of and we want to get to that: what...

For this technique to work we need a certificate template with the following requirements: ENROLLEE_SUPPLIES_SUBJECT attribute enabled: this allows the user that initialized the CSR (certificate request) to specify any SAN (subjectAltName) allowing us to req...

This privilege escalation technique requires the following: Any Purpose EKU which allows the attacker to get a certificate that can be used for all purposes (Client Authentication, Code Signing, ...) ENROLLEE_SUPPLIES_SUBJECT attribute enabled a user with en...

Unlike ESC1 and ESC2, this method requires two certificate templates with the following requirements First Template Certificate Request Agent EKU Second Template Client Authentication EKU Application Policy Issuance Requirement with Authorized Signatures ...

Check if ADCS installed Windows Presence of module ADCS: Get-WindowsFeature -Name ADCS-Cert-Authority -ErrorAction SilentlyContinue Presence of built-in Cert Publishers group which authorizes Certificate Authorities to publish certificates: net localgroup "...

You can create misconfigurations even in templates that are not initially vulnerable. For example, enabling the mspki-certificate-name-flag for a template allowing domain authentication could result in a situation similar to ESC1. This might allow less privile...

Vulnerable PKI Object Access Control where the objects have the following requirements: The AD computer object of the CA server, which may be compromised through mechanisms like S4U2Self or S4U2Proxy. The RPC/DCOM server of the CA server. Any descendant ...

Note: ESC6 got patch on May of 2022. ESC6 permits the inclusion of user-defined values in subject alternative name for any request. On Windows we can verify the permission : PS /home/bobbuilder> certutil -config "CA_HOST\CA_NAME" -getreg "policy\EditFlags" Wi...

Vulnerable Certificate Authority Access Control where 2 sets of permissions poses security risks: ManageCA (or ManageCertificates) ManageCertificates (or Certificate Manager) Enumerate using certsrv.msc PS /home/bobbuilder> Get-CertificationAuthority -Comput...

Authentication coercion from a machine account where we relay the NTLM hash to AD CS to obtain a certificate that allows us to authenticate. Requirements A vulnerable web enrollment endpoint. At least one certificate template published that allows for domain ...

To exploit ESC9, ensure the StrongCertificateBindingEnforcement key is not set to 2 or includes the UPN flag, the template has CT_FLAG_NO_SECURITY_EXTENSION, specifies client authentication, and the attacker has GenericWrite privilege on account A to compromis...

Case 1 Reviewing registry keys as Administrator bob$ python3 reg.py minions.com/'Administrator':'<pass>'@<IP_address> query -keyName 'HKLM\SYSTEM\CurrentControlSet\Services\Kdc' If we get StrongCertificateBindingEnforcement REG_DWORD 0x0 we can proceed. Retri...

The vulnerability identified as ESC11 involves exploiting the modification of the IF_ENFORCEENCRYPTICERTREQUEST flag in the MS-ICPR RPC interface of ADCS, potentially allowing an NTLM relay attack to request certificates from authorized certificate templates v...

If a principal (user or computer) has enrollment rights on a certificate template configured with an issuance policy that has an OID group link, then this principal can enroll a certificate that allows obtaining access to the environment as a member of the gro...

If we are able to enroll certificates as someone else (user or computer), we can compromise a target principal using explicit certificate mapping. Requirements There is 4 scenarios: ESC14 Scenario A: Write altSecurityIdentities on Target The attacker has writ...

The gist of this persistence technique is creating a malicious domain inside a target tenant and use the newly-created domain to impersonate any user from the tenant in M365. This method requires a high-privilege account to be compromised (or gained) such as D...

This technique is pretty simple as it only consists in "backdooring" user accounts that don't have MFA set up; if an attacker controls one of these accounts it's possible to register new devices under that user's account. A simple way to get the MFA status of ...

This persistence method consists in backdooring Azure applications leveraging the permissions of a SP account to gain SSO access to the environment with the permissions of that applications without the need for credentials. The main benefits of attacking SP ac...