sAMAccountName, without knowing their credentials.
The attacker principal can abuse their control over the victim principal to modify the victim’s UPN to match the sAMAccountName of a targeted principal followed by @CORP.LOCAL.
Example: If the targeted principal is Administrator user of domain CORP.LOCAL, the victim’s UPN will be populated with “Administrator@CORP.LOCAL”. The attacker principal will then abuse their control over the victim principal to obtain the credentials of the victim principal, or a session as the victim principal, and enroll a certificate as the victim in one of the affected certificate templates. The UPN of the victim
(“Administrator@CORP.LOCAL”) will be included in the issued certificate under the SAN. Next, the attacker
principal will again set the UPN of the victim, this time to an arbitrary string (e.g. the original value).
The issued certificate can now be used for authentication against an affected DC. The UPN certificate mapping configuration on the DC makes the DC use the SAN value to map the certificate to a principal when performing Schannel authentication. The DC will attempt to find a principal with a UPN matching the SAN value (“Administrator@CORP.LOCAL”) but as the victim’s UPN has been changed after the enrollment, there will be no principals with this UPN. The DC will then attempt to find a principal with a
sAMAccountName matching the SAN value and find the targeted user. In case the target is a computer, the DC will find it, and the DC will attempt sAMAccountName matching with a $ at the end of the SAN value as last resort. At last, the DC will authenticate the attacker as the targeted principal.
Abuse Info
Windows
Step 1: Create .exe version of Certipy. Install PyInstaller on a host with python installed, clone down Certipy from GitHub, and run this cmdlet from the root of the GitHub repo to bundle the python project into an .exe binary which can be used on Windows computer where Python is not installed:sAMAccountName followed by @ and
the domain name.
Set the UPN of the victim principal using Certipy:
mail attribute of victim must be set and set it if required.
If the certificate template is of schema version 2 or above, and its attribute msPKI-Certificate-Name-Flag contains the flag SUBJECT_REQUIRE_EMAIL and/or SUBJECT_ALT_REQUIRE_EMAIL, then the victim principal must have their mail attribute set for the certificate enrollment. The CertTemplate BloodHound node will have “Subject Require Email” or “Subject Alternative Name Require Email” set to true if any of the flags are present.
If the certificate template is of schema version 1 or does not have either email flag, then continue to Step .
If either flag is present, you will need the victim’s mail attribute to be set. The value of the attribute will be included in the issued certificate but it is not used to identify the target principal, so it can be set to any arbitrary string.
Check if the victim has the mail attribute set using PowerView:
mail attribute set, continue to Step 4.
If the victim does not has the mail attribute set, set it to a dummy mail using PowerView:
- Shadow Credentials attack (see AddKeyCredentialLink edge documentation).
- Password reset (see ForceChangePassword edge documentation).
- Targeted Kerberoasting (see WriteSPN edge documentation).
Linux
Step 1: Set UPN of victim to targeted principal’ssAMAccountName followed by @ and
the domain name.
Set the UPN of the victim principal using Certipy:
mail attribute of victim must be set and set it if required.
If the certificate template is of schema version 2 or above, and its attribute msPKI-Certificate-Name-Flag contains the flag SUBJECT_REQUIRE_EMAIL and/or SUBJECT_ALT_REQUIRE_EMAIL, then the victim principal must have their mail attribute set for the certificate enrollment. The CertTemplate BloodHound node will have “Subject Require Email” or “Subject Alternative Name Require Email” set to true if any of the flags are present.
If the certificate template is of schema version 1 or does not have either email flag, then continue to Step .
If either flag is present, you will need the victim’s mail attribute to be set. The value of the attribute will be included in the issued certificate but it is not used to identify the target principal, so it can be set to any arbitrary string.
Check if the victim has the mail attribute set using ldapsearch:
mail attribute set, continue to Step 3.
If the victim does not has the mail attribute set, set it to a dummy mail using ldapmodify:
- Shadow Credentials attack (see AddKeyCredentialLink edge documentation).
- Password reset (see ForceChangePassword edge documentation).
- Targeted Kerberoasting (see WriteSPN edge documentation).
Edge Schema
Source: User, Group, ComputerDestination: Domain
Traversable: Yes