Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ADCS

Response

ADCS response starts by identifying issued certificates, vulnerable templates, modified templates, exposed CA keys, and relayable enrollment endpoints. Certificates must be treated as live credentials until expired or revoked.

Inventory CAs and templates

certutil -config "dc01.ootw.local\OOTW-CA" -catemplates
certutil -config "dc01.ootw.local\OOTW-CA" -getconfig

Find vulnerable templates

certipy find -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -vulnerable -enabled -text -output adcs_review

Disable vulnerable template publication

certutil -config "dc01.ootw.local\OOTW-CA" -setcatemplates -ESC1

Revoke a certificate

$Serial = "SERIAL_NUMBER"
certutil -config "dc01.ootw.local\OOTW-CA" -revoke $Serial
certutil -config "dc01.ootw.local\OOTW-CA" -crl

Remove ESC1-style risk

Disable Enrollee Supplies Subject for authentication templates.
Require manager approval where subject supply is required.
Require authorized signatures for sensitive templates.
Remove broad enrollment rights from Domain Users and Authenticated Users.
Remove Any Purpose and unnecessary authentication EKUs.

Remove ESC4-style risk

Restrict template ownership to PKI administrators.
Remove WriteDacl, WriteOwner, GenericAll, GenericWrite, and WriteProperty from non-PKI administrators.
Review template changes in the Configuration naming context.
Restore known-good template JSON or GPO-backed documentation.

Reduce ESC8 risk

Disable ADCS web enrollment if not required.
Require HTTPS.
Enforce Extended Protection for Authentication.
Disable NTLM where possible.
Require LDAP signing and channel binding.
Reduce coercion exposure such as Print Spooler on servers where not needed.

Golden Certificate response

Treat CA private key compromise as a PKI root compromise.
Revoke forged certificates if serials are known.
Rotate or rebuild the CA where required.
Publish fresh CRLs.
Remove compromised CA certificate trust from NTAuth if retiring the CA.
Hunt for certificate authentication after the suspected compromise window.

Useful event IDs

4886  Certificate Services received a certificate request
4887  Certificate Services approved a certificate request and issued a certificate
4888  Certificate Services denied a certificate request
4890  Certificate Services certificate manager settings changed
4898  Certificate template loaded
4899  Certificate Services template updated
4900  Certificate Services template security updated
4768  TGT requested, including certificate-based Kerberos authentication
4769  Service ticket requested after certificate authentication
5136  Directory object modified, useful for template and PKI object changes

Review issued certificates

certutil -config "dc01.ootw.local\OOTW-CA" -view -restrict "Disposition=20" -out "RequestID,RequesterName,CommonName,CertificateTemplate,SerialNumber,NotBefore,NotAfter"

Hardening baseline

Separate PKI administration from domain administration.
Limit enrollment to specific groups.
Use short certificate validity periods for authentication templates.
Remove unused templates from issuing CAs.
Require approval for templates that allow request-supplied subjects.
Monitor template ACLs and CA configuration changes.
Protect CA private keys with HSM-backed or equivalent controls where possible.