Stealthy AD CS Reconnaissance

/in

TLDR: Introducing a certipy parse command to perform stealthy offline AD CS enumeration based on local registry data.

Ever since Will Schroeder and Lee Christensen from SpecterOps have released their seminal Active Directory Certificate Services (AD CS) research, it has been a popular avenue for Windows domain privilege escalation used by security professionals and threat actors alike.

Such attack paths usually begin with the enumeration of published certificate templates by means of LDAP queries to a domain controller (or COM / RPC requests to a certificate authority). However, in mature environments LDAP traffic is monitored, both on the client (API hooking, ETW) as well as server side (query logging, SACL based audit policies), for known tool behavior and malicious activities. To evade these detections, attackers use selective queriesobfuscate their requests, leverage native utilities and have developed new enumeration techniques with corresponding tooling based on alternative protocols (ADWS).

Wouldn’t it be convenient to use another – less monitored – data source to learn the same information?

Registry Certificate Template Cache

AD CS reconnaissance meme

This is what Cedric Van Bockhaven and Max Grim from Outflank have presented in their The Registry Rundown talk at Troopers. They discovered that the local registry contains a certificate template cache:

Registry Certificate Template Cache slide from Outflank's Troopers presentation

AD CS is a gift that keeps on giving (ESC13ESC14ESC15) with new misconfigurations being discovered on a regular basis. It therefore seemed natural to plug this new data source into an existing analysis framework to reuse its capabilities and structured data output.

Extend Existing Tooling

This idea was realized by introducing a new certipy command to parse TrustedSec’s reg_query BOF output as well as the text-based Windows registry (.reg) file format.

Using the reg_query BOF

Assuming you have code execution as a low privileged user on a domain-joined Windows machine, collect the cached certificate template meta data from the local registry using:

beacon> reg_query_recursive HKU .DEFAULTSoftwareMicrosoftCryptographyCertificateTemplateCache

One missing piece of information is whether the certificate template is actually published to a certificate authority. This still has to be queried via LDAP:

beacon> ldapsearch "(objectclass=pKIEnrollmentService)" --attributes certificateTemplates --dn "CN=Configuration,DC=ludus,DC=domain" --ldaps

Passing the returned comma separated list of published template names, the previously captured registry query output and a set of SIDs, belonging to owned principals, allows familiar analysis using certipy:

$ certipy parse -format bof -domain ludus.domain -ca ludus-CA -published "ESC13, ESC9, ESC7_CERTMGR, ESC4, ESC3_CRA, ESC3, ESC2, ESC1, DirectoryEmailReplication, DomainControllerAuthentication, KerberosAuthentication, EFSRecovery, EFS, DomainController, WebServer, Machine, User, SubCA, Administrator" -sids "S-1-5-21-3291837554-245906837-2404182060-513,S-1-5-21-3291837554-245906837-2404182060-1104" beacon.log

Using regedit.exe

If you instead have interactive access to a compromised client and want to use the native regedit.exe utility to live off the land and better blend into the target environment, you can File > Export the relevant registry branch to a .reg file.

Native Registry Editor exporting branch HKEY_USERS.DEFAULTSoftwareMicrosoftCryptographyCertificateTemplateCache

Changing the -format to reg allows parsing of this too:

$ certipy parse -format reg -domain ludus.domain -ca ludus-CA -published "ESC13, ESC9, ESC7_CERTMGR, ESC4, ESC3_CRA, ESC3, ESC2, ESC1, DirectoryEmailReplication, DomainControllerAuthentication, KerberosAuthentication, EFSRecovery, EFS, DomainController, WebServer, Machine, User, SubCA, Administrator" -sids "S-1-5-21-3291837554-245906837-2404182060-513,S-1-5-21-3291837554-245906837-2404182060-1104" adcs.reg

What’s next?

Of course, being aware of available certificate templates is only the first step. Obtaining a valid certificate while avoiding possible honey pots, detections based on suspicious ticket options during PKINIT or Kerberos traffic from an unusual process is left as an exercise for the sophisticated attacker.

As for detection, the same mechanism (a custom SACL on the relevant registry keys) as for detecting local SCCM reconnaissance can be employed.

Happy red teaming.

Compass Security Blog – ​Read More

8Base Ransomware Data Leak Sites Seized in International Law Enforcement Operation

/in

Source: The Nation
A coordinated law enforcement operation has taken down the dark web data leak and negotiation sites associated with the 8Base ransomware gang.
Visitors to the data leak site are now greeted with a seizure banner that says: “This hidden site and the criminal content have been seized by the Bavarian State Criminal Police Office on behalf of the Office of the Public Prosecutor

The Hacker News – ​Read More

Gcore Radar report reveals 56% year-on-year increase in DDoS attacks

/in

Luxembourg, Luxembourg, 11th February 2025, CyberNewsWire

Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – ​Read More

Apple Patches Actively Exploited iOS Zero-Day CVE-2025-24200 in Emergency Update

/in

Apple on Monday released out-of-band security updates to address a security flaw in iOS and iPadOS that it said has been exploited in the wild.
Assigned the CVE identifier CVE-2025-24200, the vulnerability has been described as an authorization issue that could make it possible for a malicious actor to disable USB Restricted Mode on a locked device as part of a cyber physical attack.
This

The Hacker News – ​Read More

Apple and Google take down malicious mobile apps from their app stores

/in

Apple and Google have pulled as many as 20 apps from their respective apps for carrying a data-stealing malware.

© 2024 TechCrunch. All rights reserved. For personal use only.

Security News | TechCrunch – ​Read More

XE Group Shifts From Card Skimming to Supply Chain Attacks

/in

The likely Vietnam-based threat actor has been using two zero-days in VeraCore’s warehouse management software in some of its latest cyberattacks.

darkreading – ​Read More

120K Victims Compromised in Memorial Hospital Ransomware Attack

/in

After claiming responsibility for the ransomware attack in 2024, the “Embargo” ransomware group posted 1.15 terabytes of stolen data to its public Tor site.

darkreading – ​Read More

Who’s using AI the most? The Anthropic Economic Index breaks down the data

/in

Credit: VentureBeat made with Midjourney

New Anthropic study uncovers AI’s true impact on modern workforce: 57% augmentation vs 43% automation across industries, based on analysis of 4 million Claude interactions.Read More

Security News | VentureBeat – ​Read More

8Base ransomware site taken down as Thai authorities arrest 4 connected to operation

/in

The leak site for the 8Base ransomware gang was taken down Monday and replaced with a banner by multiple law enforcement agencies.

The Record from Recorded Future News – ​Read More