dNSHostName attribute to match the dNSHostName of a targeted computer. The attacker principal will then abuse their control over the victim computer to obtain the credentials of the victim computer, or a session as the victim computer, and enroll a certificate as the victim in one of the affected certificate templates. The dNSHostName of the victim will be included in the issued certificate under SAN DNS name. As the certificate template does not have the security extension, the issued certificate will NOT include the SID of the victim computer. DCs with strong certificate binding configuration will require a SID to be present in a certificate used for Kerberos authentication, but the affected DCs with weak certificate binding configuration will not. The affected DCs will split the SAN DNS name into a computer name and a domain name, confirm that the domain name is correct, and use the computer name appended a $ to identify principals with a matching sAMAccountName. At last, the DC issues a Kerberos TGT as the targeted computer to the attacker, which means the attacker now has a session as the targeted computer.
Abuse Info
Windows
Step 1: Remove SPNs includingdNSHostName on victim.
The SPNs of the victim will be automatically updated when you change the dNSHostName. AD will not allow the same SPN entry to be set on two accounts. Therefore, you must remove any SPN on the victim account that includes the victim’s dNSHostName.
Set SPN of the victim computer using PowerView:
dNSHostName of victim computer to targeted computer’s dNSHostName.
Set the dNSHostName of the victim computer using PowerView:
mail attribute of victim must be set and set it if required.
If the certificate template is of schema version 2 or above, and its attribute msPKI-Certificate-Name-Flag contains the flag SUBJECT_REQUIRE_EMAIL and/or SUBJECT_ALT_REQUIRE_EMAIL, then the victim principal must have their mail attribute set for the certificate enrollment. The CertTemplate BloodHound node will have “Subject Require Email” or “Subject Alternative Name Require Email” set to true if any of the flags are present.
If the certificate template is of schema version 1 or does not have either email flag, then continue to Step .
If either flag is present, you will need the victim’s mail attribute to be set. The value of the attribute will be included in the issued certificate but it is not used to identify the target principal, so it can be set to any arbitrary string.
Check if the victim has the mail attribute set using PowerView:
mail attribute set, continue to Step 4.
If the victim does not has the mail attribute set, set it to a dummy mail using PowerView:
dNSHostName and SPN of victim to the previous values.
To avoid issues in the environment, set the dNSHostName and SPN of the victim computer back to its previous values using PowerView:
Linux
Step 1: Remove SPNs includingdNSHostName on victim.
The SPNs of the victim will be automatically updated when you change the dNSHostName. AD will not allow the same SPN entry to be set on two accounts. Therefore, you must remove any SPN on the victim account that includes the victim’s dNSHostName.
Remove SPN entries with ldapmodify:
dNSHostName of victim computer to targeted computer’s dNSHostName.
Set the dNSHostName of the victim computer using Certipy:
mail attribute of victim must be set and set it if required.
If the certificate template is of schema version 2 or above, and its attribute msPKI-Certificate-Name-Flag contains the flag SUBJECT_REQUIRE_EMAIL and/or SUBJECT_ALT_REQUIRE_EMAIL, then the victim principal must have their mail attribute set for the certificate enrollment. The CertTemplate BloodHound node will have “Subject Require Email” or “Subject Alternative Name Require Email” set to true if any of the flags are present.
If the certificate template is of schema version 1 or does not have either email flag, then continue to Step .
If either flag is present, you will need the victim’s mail attribute to be set. The value of the attribute will be included in the issued certificate but it is not used to identify the target principal, so it can be set to any arbitrary string.
Check if the victim has the mail attribute set using ldapsearch:
mail attribute set, continue to Step 4.
If the victim does not has the mail attribute set, set it to a dummy mail using ldapmodify:
dNSHostName and SPN of victim to the previous values.
To avoid issues in the environment, set the dNSHostName and SPN of the victim computer back to its previous value using Certipy and ldapmodify:
Edge Schema
Source: User, Group, ComputerDestination: Domain
Traversable: Yes