EDITF_ATTRIBUTESUBJECTALTNAME2 flag allowing enrollees to
specify a Subject Alternate Name (SAN) identifying another principal during certificate enrollment of
any published certificate template. This setup allow an attacker principal to obtain a malicious
certificate as any AD forest user or computer and use it for authentication and impersonation without
knowing their credentials.
Abuse Info
Windows
Step 1: Use Certify (2.0) to request enrollment in the affected template, specifying the affected enterprise CA and target principal to impersonate (include the SID URL if strong mapping is enforced):mail or dNSHostName attribute set, which is required by the certificate template. The mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be set on computer objects. Computers have validated write permission to their own dNSHostName attribute by default, but neither users nor computers can write to their own mail attribute by default.
Step 2: With Rubeus, use the certificate to authenticate to the domain and request a TGT, specifying the identity you intend to impersonate:
Linux
Step 1: Use Certipy to request enrollment in the affected template, specifying the affected certification authority and target principal to impersonate:mail or dNSHostName attribute set, which is required by the certificate template. The mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be set on computer objects. Computers have validated write permission to their own dNSHostName attribute by default, but neither users nor computers can write to their own mail attribute by default.
Step 2: Request a ticket granting ticket (TGT) from the domain, specifying the certificate created in Step 1 and the IP of a domain controller::
Opsec Considerations
When the affected certificate authority issues the certificate to the attacker, it will retain a local copy of that certificate in its issued certificates store. Defenders may analyze those issued certificates to identify illegitimately issued certificates and identify the principal that requested the certificate, as well as the target identity the attacker is attempting to impersonate.Edge Schema
Source: User, Group, ComputerDestination: Domain
Traversable: Yes