Microsoft ADCS – Abusing PKI in Active Directory Environment
Due to the ever-growing use of certificates in modern applications, a large number of Active Directory infrastructures make use of Public Key Infrastructures (PKI) features. These features are provided by Certification Authorities (CA) which are either external to Active Directory or deeply coupled with it.
Similar intricate systems, such as Microsoft Exchange, have highlighted a significant number of ways that someone with a user account on Active Directory and malicious intent can benefit from to take over Active Directory.
Active Directory Certificate Services (ADCS) have never really been under security scrutiny until a few years ago (by C. Falta and later Q&D Security). We will therefore focus today on how similar techniques can be used to gain Domain Admins privileges.
Note: this article assumes that the reader has a correct understanding of Active Directory and/or PKI operation; some sections may be skipped depending on the reader experience and level of expertise.
