{
	"id": "869ec580-25a8-4091-bd8c-043457a2e54c",
	"created_at": "2026-04-06T00:19:59.30774Z",
	"updated_at": "2026-04-10T13:12:18.028197Z",
	"deleted_at": null,
	"sha1_hash": "56192864c55c7f628e7ebb086ff133d5231b2f7f",
	"title": "GitHub - GhostPack/PSPKIAudit: PowerShell toolkit for AD CS auditing based on the PSPKI toolkit.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 145691,
	"plain_text": "GitHub - GhostPack/PSPKIAudit: PowerShell toolkit for AD CS\r\nauditing based on the PSPKI toolkit.\r\nBy leechristensen\r\nArchived: 2026-04-05 13:45:39 UTC\r\nPowerShell toolkit for auditing Active Directory Certificate Services (AD CS).\r\nIt is built on top of PKISolution's PSPKI toolkit (Microsoft Public License). This repo contains a newer version of\r\nPSPKI than what's available in the PSGallery (see the PSPKI directory). Vadims Podans (the creator of PSPKI)\r\ngraciously provided this version as it contains patches for several bugs.\r\nThis README is only meant as a starting point- for complete details and defensive guidance, please see the\r\n\"Certified Pre-Owned\" whitepaper.\r\nThe module contains the following main functions:\r\n1. Invoke-PKIAudit - Audits the current Forest's AD CS settings, primarily analyzing the CA server and\r\npublished templates for potential privilege escalation opportunities.\r\n2. Get-CertRequest - Examines a CA's issued certificates by querying the CA's database. Primary intention is\r\nto discover certificate requests that may have abused a certificate template privilege escalation\r\nvulnerability. In addition, if a user or computer is compromised, incident responders can use it to find\r\ncertificates the CA server had issued to the compromised user/computer (which should then be revoked).\r\nWARNING: This code is beta! We are confident that Invoke-PKIAudit will not impact the environment as the\r\namount of data it queries is quite limited. We have not done rigorous testing with Get-CertRequest against\r\ntypical CA server workloads. Get-CertRequest queries the CA's database directly and may have to process\r\nthousands of results, which might impact performance.\r\nIF THERE ARE NO RESULTS, THIS IS NOT A GUARANTEE THAT YOUR ENVIRONMENT IS\r\nSECURE!!\r\nWE ALSO CANNOT GUARANTEE THAT OUR MITIGATION ADVICE WILL MAKE YOUR\r\nENVIRONMENT SECURE OR WILL NOT DISRUPT OPERATIONS!\r\nIt is your responsibility to talk to your Active Directory/PKI/Architecture team(s) to determine the best mitigations\r\nfor your environment.\r\nIf the code breaks, or we missed something, please submit an issue or pull request for a fix!\r\nSetup\r\nAuditing AD CS Misconfigurations\r\nOutput Explanation\r\nhttps://github.com/GhostPack/PSPKIAudit\r\nPage 1 of 17\n\nESC1 - Misconfigured Certificate Templates\r\nESC2 - Misconfigured Certificate Templates\r\nESC3 - Misconfigured Enrollment Agent Templates\r\nESC4 - Vulnerable Certificate Template Access Control\r\nESC5 - Vulnerable PKI AD Object Access Control\r\nESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2\r\nESC7 - Vulnerable Certificate Authority Access Control\r\nESC8 - NTLM Relay to AD CS HTTP Endpoints\r\nMisc - Explicit Mappings\r\nTriaging Existing Issued Certificate Requests\r\nSetup\r\nRequirements\r\nInstall the following on a Windows machine using an elevated PowerShell prompt (PowerShell verion 5.1 or\r\nabove):\r\nRSAT's Certificate Services and Active Directory features. Install with the following command:\r\nGet-WindowsCapability -Online -Name \"Rsat.*\" | where Name -match \"CertificateServices|ActiveDirectory\" | Add-Wi\r\nThe PSPKI PowerShell module. Install with the following command:\r\nInstall-Module -Name PSPKI\r\nImport\r\nDownload the module extract it to a folder. Then, import the module using the following commands:\r\ncd PSPKIAudit\r\nGet-ChildItem -Recurse | Unblock-File\r\nImport-Module .\\PSPKIAudit.psd1\r\nAuditing AD CS Misconfigurations\r\nRunning Invoke-PKIAudit will run all auditing checks against AD CS in the current domain, including\r\nenumerating various Certificate Authority and Certificate Template settings. To audit a specific CA, you can run\r\nInvoke-PKIAudit -CAComputerName CA.DOMAIN.COM or Invoke-PKIAudit -CAName X-Y-Z .\r\nAny misconfigurations (ESC1-8) will appear as properties on the CA/template results displayed to identify the\r\nspecific misconfiguration found.\r\nhttps://github.com/GhostPack/PSPKIAudit\r\nPage 2 of 17\n\nIf you want to change the groups/users used to test enrollment/access control, modify the\r\n$CommonLowprivPrincipals regex at the top of Invoke-PKIAudit.ps1\r\nIf you want to export all CA information to a csv, run: Get-AuditCertificateAuthority [-CAComputerName\r\nCA.DOMAIN.COM | -CAName X-Y-Z] | Export-Csv -NoTypeInformation CAs.csv\r\nIf you want to export ALL published template information to a csv (not just vulnerable templates), run: Get-AuditCertificateTemplate [-CAComputerName CA.DOMAIN.COM | -CAName X-Y-Z] | Export-Csv -\r\nNoTypeInformation templates.csv\r\nOutput Explanation\r\nThere are two main sections of output, details about discovered CAs and details about potentially vulnerable\r\ntemplates.\r\nFor certificate authority results:\r\nCertificate Authority Property Description\r\nComputerName The system the CA is running on.\r\nCAName The name of the CA.\r\nConfigString The full COMPUTER\\CA_NAME configuration string.\r\nIsRoot If the CA is a root CA.\r\nAllowsUserSuppliedSans If the CA has the EDITF_ATTRIBUTESUBJECTALTNAME2 flag set.\r\nVulnerableACL Whether the CA has a vulnerable ACL setting.\r\nEnrollmentPrincipals Principals who have the Enroll privilege at the CA level.\r\nEnrollmentEndpoints The CA's web services enrollment endpoints.\r\nNTLMEnrollmentEndpoints The CA's web services enrollment endpoints that have NTLM enabled.\r\nDACL The full access control information.\r\nMisconfigurations ESCX indicating the specific misconfiguration present (if any).\r\nFor certificate template results:\r\nProperty Description\r\nCA The full CA ConfigString the template is published on (null for not published).\r\nName The template name.\r\nhttps://github.com/GhostPack/PSPKIAudit\r\nPage 3 of 17\n\nProperty Description\r\nSchemaVersion The schema version (1/2/3) of the template.\r\nOID The unique object identifier for the template.\r\nVulnerableTemplateACL True if the template has a vulnerable ACL setting.\r\nLowPrivCanEnroll True if low-privileged users can enroll in the template.\r\nEnrolleeSuppliesSubject\r\nTrue if the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is present (i.e., users can\r\nsupply arbitrary SANs).\r\nEnhancedKeyUsage The usage EKUs enabled in the template.\r\nHasAuthenticationEku True if the template has an EKU that allows for authentication.\r\nHasDangerousEku True if the template has a \"dangerous\" (Any Purpose or null) EKU.\r\nEnrollmentAgentTemplate True if the template has the \"Certificate Request Agent\" EKU.\r\nCAManagerApproval True if manager approvals are needed for enrollment.\r\nIssuanceRequirements Authorized signature information.\r\nValidityPeriod How long the certificate is valid for.\r\nRenewalPeriod The renewal period for the certificate.\r\nOwner The principal who owns the certificate.\r\nDACL The full access control information.\r\nMisconfigurations ESCX indicating the specific misconfiguration present (if any).\r\nESC1 - Misconfigured Certificate Templates\r\nDetails\r\nThis privilege escalation scenario occurs when the following conditions are met:\r\n1. The Enterprise CA grants low-privileged users enrollment rights. The Enterprise CA's configuration\r\nmust permit low-privileged users the ability to request certificates. See the \"Background - Enrollment\"\r\nsection at the beginning of the whitepaper paper for more details.\r\n2. Manager approval is disabled. This setting necessitates that a user with certificate \"manager\" permissions\r\nreview and approve the requested certificate before the certificate is issued. See the \"Background -\r\nIssuance Requirements\" section at the beginning of the whitepaper paper for more details.\r\nhttps://github.com/GhostPack/PSPKIAudit\r\nPage 4 of 17\n\n3. No authorized signatures are required. This setting requires any CSR to be signed by an existing\r\nauthorized certificate. See the \"Background - Issuance Requirements\" section at the beginning of the\r\nwhitepaper for more details.\r\n4. An overly permissive certificate template security descriptor grants certificate enrollment rights to\r\nlow-privileged users. Having certificate enrollment rights allows a low-privileged attacker to request and\r\nobtain a certificate based on the template. Enrollment Rights are granted via the certificate template AD\r\nobject's security descriptor.\r\n5. The certificate template defines EKUs that enable authentication. Applicable EKUs include Client\r\nAuthentication (OID 1.3.6.1.5.5.7.3.2), PKINIT Client Authentication (OID 1.3.6.1.5.2.3.4), or Smart Card\r\nLogon (OID 1.3.6.1.4.1.311.20.2.2).\r\n6. The certificate template allows requesters to specify a subjectAltName (SAN) in the CSR. If a\r\nrequester can specify the SAN in a CSR, the requester can request a certificate as anyone (e.g., a domain\r\nadmin user). The certificate template's AD object specifies if the requester can specify the SAN in its\r\nmspki-certificate-name-flag property. The mspki-certificate-name-flag property is a bitmask and if the\r\nCT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is present, a requester can specify the SAN.\r\nTL;DR This situation means that a unprivileged users can request a certificate that can be used for domain\r\nauthentication, where they can specify an arbitrary alternative name (like a domain admin). This can result in a\r\nworking certificate for an elevated user like a domain admin!\r\nExample\r\n[!] Potentially vulnerable Certificate Templates:\r\nCA : dc.theshire.local\\theshire-DC-CA\r\nName : ESC1Template\r\nSchemaVersion : 2\r\nOID : ESC1 Template (1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.10657\r\nVulnerableTemplateACL : False\r\nLowPrivCanEnroll : True\r\nEnrolleeSuppliesSubject : True\r\nEnhancedKeyUsage : Client Authentication (1.3.6.1.5.5.7.3.2)|Secure Email (1.3.6.1.5.5.7.3.4)|Encrypting\r\nHasAuthenticationEku : True\r\nHasDangerousEku : False\r\nEnrollmentAgentTemplate : False\r\nCAManagerApproval : False\r\nIssuanceRequirements : [Issuance Requirements]\r\n Authorized signature count: 0\r\n Reenrollment requires: same criteria as for enrollment.\r\nValidityPeriod : 1 years\r\nRenewalPeriod : 6 weeks\r\nOwner : THESHIRE\\localadmin\r\nDACL : NT AUTHORITY\\Authenticated Users (Allow) - Read\r\nhttps://github.com/GhostPack/PSPKIAudit\r\nPage 5 of 17\n\nTHESHIRE\\Domain Admins (Allow) - Read, Write, Enroll\r\n THESHIRE\\Domain Users (Allow) - Enroll\r\n THESHIRE\\Enterprise Admins (Allow) - Read, Write, Enroll\r\n THESHIRE\\localadmin (Allow) - Read, Write\r\nMisconfigurations : ESC1\r\nMitigations\r\nThere are a few options. First, right click the affected certificate template in the Certificate Templates Console\r\n(certtmpl.msc) and click \"Properties\"\r\n1. Remove the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag via \"Subject Name\", unchecking\r\n\"Supply in Request\".\r\nThis prevents arbitrary SAN specification in the CSR. Unless alternate names are really needed\r\nfor this template, this is probably the best fix.\r\n2. Remove the \"Client Authentication\" and/or \"Smart Card Logon\" EKUS via \"Extensions\" -\u003e \"Application\r\nPolicies\".\r\nThis prevents domain authentication with this template.\r\n3. Enable \"CA Certificate Manager Approval\" in \"Issuance Requirements\".\r\nThis puts requests for this template in the \"Pending Requests\" queue that must be manually\r\napproved by a certificate manager.\r\n4. Enable Authorized Signatures\" in \"Issuance Requirements\" (if you know what you're doing).\r\nThis forces CSRs to be co-signed by an Enrollment Agent certificate.\r\n5. Remove the ability for low-privileged users from enrolling in this template via \"Security\" and removing the\r\nappropriate Enroll privilege.\r\nESC2 - Misconfigured Certificate Templates\r\nDetails\r\nThis privilege escalation scenario occurs when the following conditions are met:\r\n1. The Enterprise CA grants low-privileged users enrollment rights. Details are the same as in ESC1.\r\n2. Manager approval is disabled. Details are the same as in ESC1.\r\n3. No authorized signatures are required. Details are the same as in ESC1.\r\n4. An overly permissive certificate template security descriptor grants certificate enrollment rights to\r\nlow-privileged users. Details are the same as in ESC1.\r\n5. The certificate template defines Any Purpose EKUs or no EKU. The Any Purpose (OID 2.5.29.37.0)\r\ncan be used for (surprise!) any purpose, including client authentication. If no EKUs are specified - i.e. the\r\npkiextendedkeyusage is empty or the attribute doesn't exist - then the certificate is the equivalent of a\r\nsubordinate CA certificate and can be used for anything.\r\nhttps://github.com/GhostPack/PSPKIAudit\r\nPage 6 of 17\n\nTL;DR This is very similar to ESC1, however with the Any Purpose or no EKU, the\r\nCT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag does not need to be present.\r\nExample\r\n[!] Potentially vulnerable Certificate Templates:\r\nCA : dc.theshire.local\\theshire-DC-CA\r\nName : ESC2Template\r\nSchemaVersion : 2\r\nOID : ESC2 Template (1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.77300\r\nVulnerableTemplateACL : False\r\nLowPrivCanEnroll : True\r\nEnrolleeSuppliesSubject : False\r\nEnhancedKeyUsage :\r\nHasAuthenticationEku : True\r\nHasDangerousEku : True\r\nEnrollmentAgentTemplate : False\r\nCAManagerApproval : False\r\nIssuanceRequirements : [Issuance Requirements]\r\n Authorized signature count: 0\r\n Reenrollment requires: same criteria as for enrollment.\r\nValidityPeriod : 1 years\r\nRenewalPeriod : 6 weeks\r\nOwner : THESHIRE\\localadmin\r\nDACL : NT AUTHORITY\\Authenticated Users (Allow) - Read\r\n THESHIRE\\Domain Admins (Allow) - Read, Write, Enroll\r\n THESHIRE\\Domain Users (Allow) - Enroll\r\n THESHIRE\\Enterprise Admins (Allow) - Read, Write, Enroll\r\n THESHIRE\\localadmin (Allow) - Read, Write\r\nMisconfigurations : ESC2\r\nMitigations\r\nThere are a few options. First, right click the affected certificate template in the Certificate Templates Console\r\n(certtmpl.msc) and click \"Properties\"\r\n1. Remove the ability for low-privileged users from enrolling in this template via \"Security\" and removing the\r\nappropriate Enroll privilege.\r\nThis is likely the best fix, as these sensitive EKUs should not be available to low-privileged users!\r\n2. Enable \"CA Certificate Manager Approval\" in \"Issuance Requirements\".\r\nThis puts requests for this template in the \"Pending Requests\" queue that must be manually\r\napproved by a certificate manager.\r\n3. Enable Authorized Signatures\" in \"Issuance Requirements\" (if you know what you're doing).\r\nThis forces CSRs to be co-signed by an Enrollment Agent certificate.\r\nhttps://github.com/GhostPack/PSPKIAudit\r\nPage 7 of 17\n\nESC3 - Misconfigured Enrollment Agent Templates\r\nDetails\r\nThis privilege escalation scenario occurs when the following conditions are met:\r\n1. The Enterprise CA grants low-privileged users enrollment rights. Details are the same as in ESC1.\r\n2. Manager approval is disabled. Details are the same as in ESC1.\r\n3. No authorized signatures are required. Details are the same as in ESC1.\r\n4. An overly permissive certificate template security descriptor grants certificate enrollment rights to\r\nlow-privileged users. Details are the same as in ESC1.\r\n5. The certificate template defines the Certificate Request Agent EKU. The Certificate Request Agent\r\nEKU (OID 1.3.6.1.4.1.311.20.2.1) allows a principal to enroll for another certificate template on behalf of\r\nanother user.\r\n6. Enrollment agents restrictions are not implemented on the CA.\r\nTL;DR Someone with a Certificate Request (aka Enrollment) Agent certificate can enroll in other certificates on\r\nbehalf of any user in the domain, for any Schema Version 1 template or any Schema Version 2+ template that\r\nrequires the appropriate \"Authorized Signatures/Application Policy\" Issuance Requirement, unless \"Enrollment\r\nAgent Restrictions\" are implemented at the CA level.\r\nExample\r\n[!] Potentially vulnerable Certificate Templates:\r\nCA : dc.theshire.local\\theshire-DC-CA\r\nName : ESC3Template\r\nSchemaVersion : 2\r\nOID : ESC3 Template (1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.43003\r\nVulnerableTemplateACL : False\r\nLowPrivCanEnroll : True\r\nEnrolleeSuppliesSubject : False\r\nEnhancedKeyUsage : Certificate Request Agent (1.3.6.1.4.1.311.20.2.1)\r\nHasAuthenticationEku : False\r\nHasDangerousEku : False\r\nEnrollmentAgentTemplate : True\r\nCAManagerApproval : False\r\nIssuanceRequirements : [Issuance Requirements]\r\n Authorized signature count: 0\r\n Reenrollment requires: same criteria as for enrollment.\r\nValidityPeriod : 1 years\r\nRenewalPeriod : 6 weeks\r\nhttps://github.com/GhostPack/PSPKIAudit\r\nPage 8 of 17\n\nOwner : THESHIRE\\localadmin\r\nDACL : NT AUTHORITY\\Authenticated Users (Allow) - Read\r\n THESHIRE\\Domain Admins (Allow) - Read, Write, Enroll\r\n THESHIRE\\Domain Users (Allow) - Enroll\r\n THESHIRE\\Enterprise Admins (Allow) - Read, Write, Enroll\r\n THESHIRE\\localadmin (Allow) - Read, Write\r\nMisconfigurations : ESC3\r\nMitigations\r\nThere are a few options. First, right click the affected certificate template in the Certificate Templates Console\r\n(certtmpl.msc) and click \"Properties\"\r\n1. Remove the ability for low-privileged users from enrolling in this template via \"Security\" and removing the\r\nappropriate Enroll privilege.\r\nThis is likely the best fix, as this sensitive EKU should not be available to low-privileged users!\r\n2. Enable \"CA Certificate Manager Approval\" in \"Issuance Requirements\".\r\nThis puts requests for this template in the \"Pending Requests\" queue that must be manually\r\napproved by a certificate manager.\r\nYou can also implement \"Enrollment Agent Restrictions\" via the Certification Authority console (certsrv.msc). On\r\nthe affected CA, right click the CA name and click \"Properties\" -\u003e \"Enrollment Agents\". There is more\r\ninformation on this approach here.\r\nESC4 - Vulnerable Certificate Template Access Control\r\nDetails\r\nCertificate templates are securable objects in Active Directory, meaning they have a security descriptor that\r\nspecifies which Active Directory principals have specific permissions over the template. Templates that have\r\nvulnerable access control grant unintended principals the ability to modify settings in the template. With\r\nmodification rights, an attacker can set vulnerable EKUs (ESC1-ESC3), flip settings like\r\nCT_FLAG_ENROLLEE_SUPPLIES_SUBJECT (ESC1), and/or remove \"Issuance Requirements\" like manager\r\napproval or authorized signatures.\r\nExample\r\n[!] Potentially vulnerable Certificate Templates:\r\nCA : dc.theshire.local\\theshire-DC-CA\r\nName : ESC4Template\r\nSchemaVersion : 2\r\nOID : ESC4 Template (1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.17687\r\nVulnerableTemplateACL : True\r\nLowPrivCanEnroll : True\r\nhttps://github.com/GhostPack/PSPKIAudit\r\nPage 9 of 17\n\nEnrolleeSuppliesSubject : False\r\nEnhancedKeyUsage : Client Authentication (1.3.6.1.5.5.7.3.2)|Secure Email (1.3.6.1.5.5.7.3.4)|Encrypting\r\nHasAuthenticationEku : True\r\nHasDangerousEku : False\r\nEnrollmentAgentTemplate : False\r\nCAManagerApproval : False\r\nIssuanceRequirements : [Issuance Requirements]\r\n Authorized signature count: 0\r\n Reenrollment requires: same criteria as for enrollment.\r\nValidityPeriod : 1 years\r\nRenewalPeriod : 6 weeks\r\nOwner : THESHIRE\\localadmin\r\nDACL : NT AUTHORITY\\Authenticated Users (Allow) - Read, Write\r\n THESHIRE\\Domain Admins (Allow) - Read, Write, Enroll\r\n THESHIRE\\Domain Users (Allow) - Read, Enroll\r\n THESHIRE\\Enterprise Admins (Allow) - Read, Write, Enroll\r\n THESHIRE\\localadmin (Allow) - Read, Write\r\nMisconfigurations : ESC4\r\nMitigations\r\nRight click the affected certificate template in the Certificate Templates Console (certtmpl.msc) and click\r\n\"Properties\".\r\nGo to \"Security\" and remove the vulnerable access control entry.\r\nESC5 - Vulnerable PKI AD Object Access Control\r\nDetails\r\nA number of objects outside of certificate templates and the certificate authority itself can have a security impact\r\non the entire AD CS system.\r\nThese possibilities include (but are not limited to):\r\nCA server's AD computer object (i.e., compromise through RBCD)\r\nThe CA server's RPC/DCOM server\r\nPKI-related AD objects. Any descendant AD object or container in the container CN=Public Key\r\nServices,CN=Services,CN=Configuration,DC=,DC= (e.g., the Certificate Templates container,\r\nCertification Authorities container, the NTAuthCertificates object, etc.)\r\nDue to the broad scope of this specific misconfiguration, we do not currently check for ESC5 by default in this\r\ntoolkit.\r\nAccess paths into the CA server itself can be found in current BloodHound collection.\r\nThe CA server's RPC/DCOM server security require manual analysis.\r\nhttps://github.com/GhostPack/PSPKIAudit\r\nPage 10 of 17\n\nThe following commands outputs a list of users and the control/edit right the user has over a PKI-related AD\r\nobject.\r\n$Controllers = Get-AuditPKIADObjectControllers\r\nFormat-PKIAdObjectControllers $Controllers\r\nEnsure all principals in the results absolutely require the listed rights. Often times non-tier 0 accounts (be it low\r\nprivileged users/groups or lower-privileged non-AD server admins) have control of PKI-related AD objects.\r\nExample\r\nTHESHIRE\\Cert Publishers (S-1-5-21-3022474190-4230777124-3051344698-517)\r\n GenericAll CN=THESHIRE-DC-CA,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Conf\r\n GenericAll CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL\r\n GenericAll CN=DC,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL\r\n GenericAll CN=THESHIRE-DC-CA,CN=DC,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=THE\r\nTHESHIRE\\DC$ (S-1-5-21-3022474190-4230777124-3051344698-1000)\r\n WriteOwner CN=THESHIRE-DC-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configurat\r\n GenericAll CN=THESHIRE-DC-CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,\r\n GenericAll CN=THESHIRE-DC-CA,CN=DC,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=THE\r\n GenericAll CN=THESHIRE-DC-CA,CN=KRA,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,\r\nTHESHIRE\\Domain Computers (S-1-5-21-3022474190-4230777124-3051344698-515)\r\n WriteDacl CN=MisconfiguredTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=C\r\nTHESHIRE\\Domain Users (S-1-5-21-3022474190-4230777124-3051344698-513)\r\n WriteAllProperties CN=MisconfiguredTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=C\r\nTHESHIRE\\john-sa (S-1-5-21-3022474190-4230777124-3051344698-1602)\r\n GenericAll CN=MisconfiguredTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=C\r\nNT AUTHORITY\\Authenticated Users (S-1-5-11)\r\n Owner CN=MisconfiguredTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=C\r\n WriteOwner CN=MisconfiguredTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=C\r\nMitigations\r\nRemove any vulnerable access control entries through Active Directory Users and Computers (dsa.msc) or\r\nADSIEdit (adsiedit.msc) for configuration objects.\r\nESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2\r\nDetails\r\nhttps://github.com/GhostPack/PSPKIAudit\r\nPage 11 of 17\n\nIf the EDITF_ATTRIBUTESUBJECTALTNAME2 flag is flipped in the configuration for a Certificate\r\nAuthority, ANY certificate request can specify arbitrary Subject Alternative Names (SANs). This means that ANY\r\ntemplate configured for domain authentication that also allows unprivileged users to enroll (e.g., the default User\r\ntemplate) can be abused to obtain a certificate that allows us to authenticate as a domain admin (or any other\r\nactive user/machine).\r\nTHIS SETTING SHOULD ABSOLUTELY NOT BE SET IN YOUR ENVIRONMENT.\r\nExample\r\n=== Certificate Authority ===\r\nComputerName : dc.theshire.local\r\nCAName : theshire-DC-CA\r\nConfigString : dc.theshire.local\\theshire-DC-CA\r\nIsRoot : True\r\nAllowsUserSuppliedSans : True\r\nVulnerableACL : False\r\nEnrollmentPrincipals : THESHIRE\\Domain Users\r\n THESHIRE\\Domain Computers\r\n THESHIRE\\certmanager\r\n THESHIRE\\certadmin\r\n THESHIRE\\Nested3\r\nEnrollmentEndpoints :\r\nNTLMEnrollmentEndpoints :\r\nDACL : BUILTIN\\Administrators (Allow) - ManageCA, ManageCertificates\r\n THESHIRE\\Domain Admins (Allow) - ManageCA, ManageCertificates\r\n THESHIRE\\Domain Users (Allow) - Read, Enroll\r\n THESHIRE\\Domain Computers (Allow) - Enroll\r\n THESHIRE\\Enterprise Admins (Allow) - ManageCA, ManageCertificates\r\n THESHIRE\\certmanager (Allow) - ManageCertificates, Enroll\r\n THESHIRE\\certadmin (Allow) - ManageCA, Enroll\r\n THESHIRE\\Nested3 (Allow) - ManageCertificates, Enroll\r\nMisconfigurations : ESC6\r\n[!] The above CA is misconfigured!\r\n...(snip)...\r\n[!] EDITF_ATTRIBUTESUBJECTALTNAME2 set on this CA, the following templates may be vulnerable:\r\nCA : dc.theshire.local\\theshire-DC-CA\r\nName : User\r\nSchemaVersion : 1\r\nOID : 1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.1.1\r\nhttps://github.com/GhostPack/PSPKIAudit\r\nPage 12 of 17\n\nVulnerableTemplateACL : False\r\nLowPrivCanEnroll : True\r\nEnrolleeSuppliesSubject : False\r\nEnhancedKeyUsage : Encrypting File System (1.3.6.1.4.1.311.10.3.4)|Secure Email (1.3.6.1.5.5.7.3.4)|Clien\r\nHasAuthenticationEku : True\r\nHasDangerousEku : False\r\nEnrollmentAgentTemplate : False\r\nCAManagerApproval : False\r\nIssuanceRequirements : [Issuance Requirements]\r\n Authorized signature count: 0\r\n Reenrollment requires: same criteria as for enrollment.\r\nValidityPeriod : 1 years\r\nRenewalPeriod : 6 weeks\r\nOwner : THESHIRE\\Enterprise Admins\r\nDACL : NT AUTHORITY\\Authenticated Users (Allow) - Read\r\n THESHIRE\\Domain Admins (Allow) - Read, Write, Enroll\r\n THESHIRE\\Domain Users (Allow) - Read, Enroll\r\n THESHIRE\\Enterprise Admins (Allow) - Read, Write, Enroll\r\nMisconfigurations :\r\nMitigations\r\nImmediately remove this flag and restart the affected certificate authority from a PowerShell prompt with elevated\r\nrights against the CA server:\r\nPS C:\\\u003e certutil -config \"CA_HOST\\CA_NAME\" -setreg policy\\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2\r\nPS C:\\\u003e Get-Service -ComputerName CA_HOST certsvc | Restart-Service -Force\r\nESC7 - Vulnerable Certificate Authority Access Control\r\nDetails\r\nOutside of certificate templates, a certificate authority itself has a set of permissions that secure various CA\r\nactions. These permissions can be accessed from certsrv.msc, right clicking a CA, selecting properties, and\r\nswitching to the Security tab.\r\nThere are two rights that are security sensitive and dangerous if unintended principals possess them:\r\nManageCA (aka \"CA Administrator\") - allows for administrative CA actions, including (remotely) flipping\r\nthe EDITF_ATTRIBUTESUBJECTALTNAME2 bit, resulting in ESC6.\r\nManageCertificates (aka \"Certificate Manager/Officer\") - allows the principal to approve pending\r\ncertificate requests, negating the \"Manager Approval\" Issuance Requirement/protection\r\nhttps://github.com/GhostPack/PSPKIAudit\r\nPage 13 of 17\n\nExample\r\n=== Certificate Authority ===\r\nComputerName : dc.theshire.local\r\nCAName : theshire-DC-CA\r\nConfigString : dc.theshire.local\\theshire-DC-CA\r\nIsRoot : True\r\nAllowsUserSuppliedSans : False\r\nVulnerableACL : True\r\nEnrollmentPrincipals : THESHIRE\\Domain Users\r\n THESHIRE\\Domain Computers\r\n THESHIRE\\certmanager\r\n THESHIRE\\certadmin\r\n THESHIRE\\Nested3\r\nEnrollmentEndpoints :\r\nNTLMEnrollmentEndpoints :\r\nDACL : BUILTIN\\Administrators (Allow) - ManageCA, ManageCertificates\r\n THESHIRE\\Domain Admins (Allow) - ManageCA, ManageCertificates\r\n THESHIRE\\Domain Users (Allow) - ManageCA, Read, Enroll\r\n THESHIRE\\Domain Computers (Allow) - Enroll\r\n THESHIRE\\Enterprise Admins (Allow) - ManageCA, ManageCertificates\r\n THESHIRE\\certmanager (Allow) - ManageCertificates, Enroll\r\n THESHIRE\\certadmin (Allow) - ManageCA, Enroll\r\n THESHIRE\\Nested3 (Allow) - ManageCertificates, Enroll\r\nMisconfigurations : ESC7\r\n[!] The above CA is misconfigured!\r\nMitigations\r\nOpen up the Certification Authority console (certsrv.msc) on the affected CA, right click the CA name and click\r\n\"Properties\".\r\nGo to \"Security\" and remove the vulnerable access control entry.\r\nESC8 - NTLM Relay to AD CS HTTP Endpoints\r\nNOTE: this particular check in PSPKIAudit only checks if NTLM is present for any published enrollment\r\nendpoints. It does NOT check if Extended Protection for Authentication is present for these NTLM-enabled\r\nendoints, so false positives may occur!\r\nImportant\r\nhttps://github.com/GhostPack/PSPKIAudit\r\nPage 14 of 17\n\nNTLM authentication is disabled for accounts in the Protected Users group. This check may fail if running\r\nPSPKIAudit while logged in as a Protected User.\r\nDetails\r\nAD CS supports several HTTP-based enrollment methods via additional AD CS server roles that administrators\r\ncan install. These HTTP-based certificate enrollment interfaces are all vulnerable NTLM relay attacks.\r\nUsing NTLM relay, an attacker on a compromised machine can impersonate any inbound-NTLM-authenticating\r\nAD account. While impersonating the victim account, an attacker could access these web interfaces and request a\r\nclient authentication certificate based on the User or Machine certificate templates.\r\nExample\r\n=== Certificate Authority ===\r\nComputerName : dc.theshire.local\r\nCAName : theshire-DC-CA\r\nConfigString : dc.theshire.local\\theshire-DC-CA\r\nIsRoot : True\r\nAllowsUserSuppliedSans : False\r\nVulnerableACL : False\r\nEnrollmentPrincipals : THESHIRE\\Domain Users\r\n THESHIRE\\Domain Computers\r\n THESHIRE\\certmanager\r\n THESHIRE\\certadmin\r\n THESHIRE\\Nested3\r\nEnrollmentEndpoints : http://dc.theshire.local/certsrv/\r\nNTLMEnrollmentEndpoints : http://dc.theshire.local/certsrv/\r\nDACL : BUILTIN\\Administrators (Allow) - ManageCA, ManageCertificates\r\n THESHIRE\\Domain Admins (Allow) - ManageCA, ManageCertificates\r\n THESHIRE\\Domain Users (Allow) - Read, Enroll\r\n THESHIRE\\Domain Computers (Allow) - Enroll\r\n THESHIRE\\Enterprise Admins (Allow) - ManageCA, ManageCertificates\r\n THESHIRE\\certmanager (Allow) - ManageCertificates, Enroll\r\n THESHIRE\\certadmin (Allow) - ManageCA, Enroll\r\n THESHIRE\\Nested3 (Allow) - ManageCertificates, Enroll\r\nMisconfigurations : ESC8\r\n[!] The above CA is misconfigured!\r\nMitigations\r\nEither remove the HTTP(S) enrollment endpoints, disable NTLM for the endopints, or enable Extended Protection\r\nfor Authentication. See Harden AD CS HTTP Endpoints – PREVENT8 in the whitepaper for more deatils.\r\nhttps://github.com/GhostPack/PSPKIAudit\r\nPage 15 of 17\n\nMisc - Explicit Mappings\r\nAnother possible mitigation for some situations is to enforce explicit mappings for certificates. This disables the\r\nuse of alternate SANs in certificates when authenticating to Active Directory.\r\nFor Kerberos, setting the HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc !\r\nUseSubjectAltName key to 00000000 forces an explicit mapping. There are more details in KB4043463.\r\nDisabling explicit mappings for SChannel is not really documented, but based on our research settings 0x1 or 0x2\r\nto the HKEY_LOCAL_MACHINE\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL !\r\nCertificateMappingMethods key appears to block SANs, but more testing is needed.\r\nTriaging Existing Issued Certificate Requests\r\nWARNING: this functionality has been minimally tested in large environments!\r\nNote: see \"Monitor User/Machine Certificate Enrollments - DETECT1\" in the whitepaper for additional\r\ninformation and how to perform these searches with certutil.\r\nIf you want to examine existing issued certificate requests, for example to see if any requests specified arbitrary\r\nSANs, or were requested for specific templates/by specific principals, the Get-CertRequest [-CAComputerName\r\nCOMPUTER.DOMAIN.COM | -CAName X-Y-Z] function builds on various PSPKI functions to give more contextual\r\ninformation.\r\nSpecifically, the raw Certificate Signing Request (CSR) is extracted for every currently issued certificate in the\r\ndomain, and specific information (i.e., whether a SAN was specified, the requestor name/machine/process, etc.) is\r\nconstructed from the request to enrich the CSR object.\r\nThe following flags can be useful:\r\nFlag Description\r\n-HasSAN\r\nOnly return issued certificates that has a Subject Alternative Name\r\nspecified in the request.\r\n-Requester DOMAIN\\USER Only return issued certificate requests for the specific requesting user.\r\n-Template\r\nTEMPLATE_NAME\r\nOnly return return issued certificate requests for the specified template\r\nname.\r\nTo export ALL issued certificate requests to csv, use Get-CertRequest | Export-CSV -NoTypeInformation\r\nrequests.csv .\r\nHere is an example result entry that shows a situation where a Subject Alternative Name (SAN) was specified\r\nwith Certify:\r\nhttps://github.com/GhostPack/PSPKIAudit\r\nPage 16 of 17\n\nCA : dc.theshire.local\\theshire-DC-CA\r\nRequestID : 4602\r\nRequesterName : THESHIRE\\cody\r\nRequesterMachineName : dev.theshire.local\r\nRequesterProcessName : Certify.exe\r\nSubjectAltNamesExtension :\r\nSubjectAltNamesAttrib : Administrator\r\nSerialNumber : 55000011faef0fab5ffd7f75b30000000011fa\r\nCertificateTemplate : ESC1 Template\r\n (1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.10657968.9897558)\r\nRequestDate : 6/3/2021 5:54:51 PM\r\nStartDate : 6/3/2021 5:44:51 PM\r\nEndDate : 6/3/2022 5:44:51 PM\r\nCA : dc.theshire.local\\theshire-DC-CA\r\nRequestID : 4603\r\nRequesterName : THESHIRE\\cody\r\nRequesterMachineName : dev.theshire.local\r\nRequesterProcessName : Certify.exe\r\nSubjectAltNamesExtension : Administrator\r\nSubjectAltNamesAttrib :\r\nSerialNumber : 55000011fb021b79cf7276c2de0000000011fb\r\nCertificateTemplate : ESC1 Template\r\n (1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.10657968.9897558)\r\nRequestDate : 6/3/2021 5:55:10 PM\r\nStartDate : 6/3/2021 5:45:10 PM\r\nEndDate : 6/3/2022 5:45:10 PM\r\nThe SubjectAltNamesExtension property means that the x509 SubjectAlternativeNames extension was used to\r\nspecify the SAN, which happens for templates with the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag. The\r\nSubjectAltNamesAttrib property means that x509 name/value pairs were used, which happens when specifying\r\na SAN when the EDITF_ATTRIBUTESUBJECTALTNAME2 CA flag is set.\r\nExisting issued certificates can be revoked using PSPKI's Revoke-Certificate function:\r\nPS C:\\\u003e Get-CertificationAuthority \u003cCAName\u003e | Get-IssuedRequest -RequestID \u003cX\u003e | Revoke-Certificate -\r\nReason \"KeyCompromise\"\r\nApplicable values for -Reason are \"KeyCompromise\", \"CACompromise\", and \"Unspecified\".\r\nSource: https://github.com/GhostPack/PSPKIAudit\r\nhttps://github.com/GhostPack/PSPKIAudit\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/GhostPack/PSPKIAudit"
	],
	"report_names": [
		"PSPKIAudit"
	],
	"threat_actors": [],
	"ts_created_at": 1775434799,
	"ts_updated_at": 1775826738,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/56192864c55c7f628e7ebb086ff133d5231b2f7f.pdf",
		"text": "https://archive.orkl.eu/56192864c55c7f628e7ebb086ff133d5231b2f7f.txt",
		"img": "https://archive.orkl.eu/56192864c55c7f628e7ebb086ff133d5231b2f7f.jpg"
	}
}