EDITF_ATTRIBUTESUBJECTALTNAME2 flag allowing enrollees to specify a Subject Alternate Name (SAN) identifying another principal during certificate enrollment of any published certificate template. This setup allows an attacker principal to obtain a malicious certificate as another principal. There is an affected Domain Controller configured to allow weak certificate mapping enforcement, which enables the attacker principal to authenticate with the malicious certificate and thereby impersonating any AD forest user or computer without their credentials.
Abuse Info
Windows
Step 1: Use Certify (2.0) to request enrollment in the affected template, specifying the affected certification authority and target principal to impersonate:mail or dNSHostName attribute set, which is required by the certificate template. The mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be set on computer objects. Computers have validated write permission to their own dNSHostName attribute by default, but neither users nor computers can write to their own mail attribute by default.
Step 2: With Rubeus, use the certificate to authenticate to the domain and request a TGT, specifying the identity you intend to impersonate:
Linux
Step 1: Use Certipy to request enrollment in the affected template, specifying the affected certification authority and target principal to impersonate:mail or dNSHostName attribute set, which is required by the certificate template. The mail attribute can be set on both user and computer objects but the dNSHostName attribute can only be set on computer objects. Computers have validated write permission to their own dNSHostName attribute by default, but neither users nor computers can write to their own mail attribute by default.
Step 2: Request a ticket granting ticket (TGT) from the domain, specifying the certificate created in Step 1 and the IP of a domain controller::
Opsec Considerations
When the affected certificate authority issues the certificate to the attacker, it will retain a local copy of that certificate in its issued certificates store. Defenders may analyze those issued certificates to identify illegitimately issued certificates and identify the principal that requested the certificate, as well as the target identity the attacker is attempting to impersonate.Edge Schema
Source: User, Group, ComputerDestination: Domain
Traversable: Yes