https://github.com/GhostPack/PSPKIAudit#auditing-ad-cs-misconfigurations
PowerShell toolkit for auditing Active Directory Certificate Services (AD CS).
It is built on top of PKISolution's PSPKI toolkit (Microsoft Public License). This repo contains a newer version of PSPKI than what's available in the PSGallery (see the PSPKI directory).
Invoke-PKIAudit - Audits the current Forest's AD CS settings, primarily analyzing the CA server and published templates for potential privilege escalation opportunities.
Get-CertRequest - Examines a CA's issued certificates by querying the CA's database. Primary intention is to discover certificate requests that may have abused a certificate template privilege escalation vulnerability. In addition, if a user or computer is compromised, incident responders can use it to find certificates the CA server had issued to the compromised user/computer (which should then be revoked).
Running Invoke-PKIAudit [-CAComputerName CA.DOMAIN.COM | -CAName X-Y-Z] will run all auditing checks for your existing AD CS environment, including enumerating various Certificate Authority and Certificate Template settings.
Any misconfigurations (ESC1-8) will appear as properties on the CA/template results displayed to identify the specific misconfiguration found.
If you want to change the groups/users used to test enrollment/access control, modify the $CommonLowprivPrincipals regex at the top of Invoke-PKIAudit.ps1
If you want to export all CA information to a csv, run: Get-AuditCertificateAuthority [-CAComputerName CA.DOMAIN.COM | -CAName X-Y-Z] | Export-Csv -NoTypeInformation CAs.csv
If you want to export ALL published template information to a csv (not just vulnerable templates), run: Get-AuditCertificateTemplate [-CAComputerName CA.DOMAIN.COM | -CAName X-Y-Z] | Export-Csv -NoTypeInformation templates.csv
[!] Potentially vulnerable Certificate Templates:
CA : dc.theshire.local\theshire-DC-CA
Name : ESC1Template
SchemaVersion : 2
OID : ESC1 Template (1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.10657968.9897558)
VulnerableTemplateACL : False
LowPrivCanEnroll : True
EnrolleeSuppliesSubject : True
EnhancedKeyUsage : Client Authentication (1.3.6.1.5.5.7.3.2)|Secure Email (1.3.6.1.5.5.7.3.4)|Encrypting File System (1.3.6.1.4.1.311.10.3.4)
HasAuthenticationEku : True
HasDangerousEku : False
EnrollmentAgentTemplate : False
CAManagerApproval : False
IssuanceRequirements : [Issuance Requirements]
Authorized signature count: 0
Reenrollment requires: same criteria as for enrollment.
ValidityPeriod : 1 years
RenewalPeriod : 6 weeks
Owner : THESHIRE\localadmin
DACL : NT AUTHORITY\Authenticated Users (Allow) - Read
THESHIRE\Domain Admins (Allow) - Read, Write, Enroll
THESHIRE\Domain Users (Allow) - Enroll
THESHIRE\Enterprise Admins (Allow) - Read, Write, Enroll
THESHIRE\localadmin (Allow) - Read, Write
Misconfigurations : ESC1
[!] Potentially vulnerable Certificate Templates:
CA : dc.theshire.local\theshire-DC-CA
Name : ESC2Template
SchemaVersion : 2
OID : ESC2 Template (1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.7730030.4389735)
VulnerableTemplateACL : False
LowPrivCanEnroll : True
EnrolleeSuppliesSubject : False
EnhancedKeyUsage :
HasAuthenticationEku : True
HasDangerousEku : True
EnrollmentAgentTemplate : False
CAManagerApproval : False
IssuanceRequirements : [Issuance Requirements]
Authorized signature count: 0
Reenrollment requires: same criteria as for enrollment.
ValidityPeriod : 1 years
RenewalPeriod : 6 weeks
Owner : THESHIRE\localadmin
DACL : NT AUTHORITY\Authenticated Users (Allow) - Read
THESHIRE\Domain Admins (Allow) - Read, Write, Enroll
THESHIRE\Domain Users (Allow) - Enroll
THESHIRE\Enterprise Admins (Allow) - Read, Write, Enroll
THESHIRE\localadmin (Allow) - Read, Write
Misconfigurations : ESC2
[!] Potentially vulnerable Certificate Templates:
CA : dc.theshire.local\theshire-DC-CA
Name : ESC3Template
SchemaVersion : 2
OID : ESC3 Template (1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.4300342.10028552)
VulnerableTemplateACL : False
LowPrivCanEnroll : True
EnrolleeSuppliesSubject : False
EnhancedKeyUsage : Certificate Request Agent (1.3.6.1.4.1.311.20.2.1)
HasAuthenticationEku : False
HasDangerousEku : False
EnrollmentAgentTemplate : True
CAManagerApproval : False
IssuanceRequirements : [Issuance Requirements]
Authorized signature count: 0
Reenrollment requires: same criteria as for enrollment.
ValidityPeriod : 1 years
RenewalPeriod : 6 weeks
Owner : THESHIRE\localadmin
DACL : NT AUTHORITY\Authenticated Users (Allow) - Read
THESHIRE\Domain Admins (Allow) - Read, Write, Enroll
THESHIRE\Domain Users (Allow) - Enroll
THESHIRE\Enterprise Admins (Allow) - Read, Write, Enroll
THESHIRE\localadmin (Allow) - Read, Write
Misconfigurations : ESC3
[!] Potentially vulnerable Certificate Templates:
CA : dc.theshire.local\theshire-DC-CA
Name : ESC4Template
SchemaVersion : 2
OID : ESC4 Template (1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.1768738.6205646)
VulnerableTemplateACL : True
LowPrivCanEnroll : True
EnrolleeSuppliesSubject : False
EnhancedKeyUsage : Client Authentication (1.3.6.1.5.5.7.3.2)|Secure Email (1.3.6.1.5.5.7.3.4)|Encrypting File System (1.3.6.1.4.1.311.10.3.4)
HasAuthenticationEku : True
HasDangerousEku : False
EnrollmentAgentTemplate : False
CAManagerApproval : False
IssuanceRequirements : [Issuance Requirements]
Authorized signature count: 0
Reenrollment requires: same criteria as for enrollment.
ValidityPeriod : 1 years
RenewalPeriod : 6 weeks
Owner : THESHIRE\localadmin
DACL : NT AUTHORITY\Authenticated Users (Allow) - Read, Write
THESHIRE\Domain Admins (Allow) - Read, Write, Enroll
THESHIRE\Domain Users (Allow) - Read, Enroll
THESHIRE\Enterprise Admins (Allow) - Read, Write, Enroll
THESHIRE\localadmin (Allow) - Read, Write
Misconfigurations : ESC4
THESHIRE\Cert Publishers (S-1-5-21-3022474190-4230777124-3051344698-517)
GenericAll CN=THESHIRE-DC-CA,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL
GenericAll CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL
GenericAll CN=DC,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL
GenericAll CN=THESHIRE-DC-CA,CN=DC,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL
THESHIRE\DC$ (S-1-5-21-3022474190-4230777124-3051344698-1000)
WriteOwner CN=THESHIRE-DC-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL
GenericAll CN=THESHIRE-DC-CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL
GenericAll CN=THESHIRE-DC-CA,CN=DC,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL
GenericAll CN=THESHIRE-DC-CA,CN=KRA,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL
THESHIRE\Domain Computers (S-1-5-21-3022474190-4230777124-3051344698-515)
WriteDacl CN=MisconfiguredTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL
THESHIRE\Domain Users (S-1-5-21-3022474190-4230777124-3051344698-513)
WriteAllProperties CN=MisconfiguredTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL
THESHIRE\john-sa (S-1-5-21-3022474190-4230777124-3051344698-1602)
GenericAll CN=MisconfiguredTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL
NT AUTHORITY\Authenticated Users (S-1-5-11)
Owner CN=MisconfiguredTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL
WriteOwner CN=MisconfiguredTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=THESHIRE,DC=LOCAL
=== Certificate Authority ===
ComputerName : dc.theshire.local
CAName : theshire-DC-CA
ConfigString : dc.theshire.local\theshire-DC-CA
IsRoot : True
AllowsUserSuppliedSans : True
VulnerableACL : False
EnrollmentPrincipals : THESHIRE\Domain Users
THESHIRE\Domain Computers
THESHIRE\certmanager
THESHIRE\certadmin
THESHIRE\Nested3
EnrollmentEndpoints :
NTLMEnrollmentEndpoints :
DACL : BUILTIN\Administrators (Allow) - ManageCA, ManageCertificates
THESHIRE\Domain Admins (Allow) - ManageCA, ManageCertificates
THESHIRE\Domain Users (Allow) - Read, Enroll
THESHIRE\Domain Computers (Allow) - Enroll
THESHIRE\Enterprise Admins (Allow) - ManageCA, ManageCertificates
THESHIRE\certmanager (Allow) - ManageCertificates, Enroll
THESHIRE\certadmin (Allow) - ManageCA, Enroll
THESHIRE\Nested3 (Allow) - ManageCertificates, Enroll
Misconfigurations : ESC6
[!] The above CA is misconfigured!
...(snip)...
[!] EDITF_ATTRIBUTESUBJECTALTNAME2 set on this CA, the following templates may be vulnerable:
CA : dc.theshire.local\theshire-DC-CA
Name : User
SchemaVersion : 1
OID : 1.3.6.1.4.1.311.21.8.10395027.10224472.4213181.15714845.1171465.9.1.1
VulnerableTemplateACL : False
LowPrivCanEnroll : True
EnrolleeSuppliesSubject : False
EnhancedKeyUsage : Encrypting File System (1.3.6.1.4.1.311.10.3.4)|Secure Email (1.3.6.1.5.5.7.3.4)|Client Authentication (1.3.6.1.5.5.7.3.2)
HasAuthenticationEku : True
HasDangerousEku : False
EnrollmentAgentTemplate : False
CAManagerApproval : False
IssuanceRequirements : [Issuance Requirements]
Authorized signature count: 0
Reenrollment requires: same criteria as for enrollment.
ValidityPeriod : 1 years
RenewalPeriod : 6 weeks
Owner : THESHIRE\Enterprise Admins
DACL : NT AUTHORITY\Authenticated Users (Allow) - Read
THESHIRE\Domain Admins (Allow) - Read, Write, Enroll
THESHIRE\Domain Users (Allow) - Read, Enroll
THESHIRE\Enterprise Admins (Allow) - Read, Write, Enroll
Misconfigurations :
=== Certificate Authority ===
ComputerName : dc.theshire.local
CAName : theshire-DC-CA
ConfigString : dc.theshire.local\theshire-DC-CA
IsRoot : True
AllowsUserSuppliedSans : False
VulnerableACL : True
EnrollmentPrincipals : THESHIRE\Domain Users
THESHIRE\Domain Computers
THESHIRE\certmanager
THESHIRE\certadmin
THESHIRE\Nested3
EnrollmentEndpoints :
NTLMEnrollmentEndpoints :
DACL : BUILTIN\Administrators (Allow) - ManageCA, ManageCertificates
THESHIRE\Domain Admins (Allow) - ManageCA, ManageCertificates
THESHIRE\Domain Users (Allow) - ManageCA, Read, Enroll
THESHIRE\Domain Computers (Allow) - Enroll
THESHIRE\Enterprise Admins (Allow) - ManageCA, ManageCertificates
THESHIRE\certmanager (Allow) - ManageCertificates, Enroll
THESHIRE\certadmin (Allow) - ManageCA, Enroll
THESHIRE\Nested3 (Allow) - ManageCertificates, Enroll
Misconfigurations : ESC7
[!] The above CA is misconfigured!
=== Certificate Authority ===
ComputerName : dc.theshire.local
CAName : theshire-DC-CA
ConfigString : dc.theshire.local\theshire-DC-CA
IsRoot : True
AllowsUserSuppliedSans : False
VulnerableACL : False
EnrollmentPrincipals : THESHIRE\Domain Users
THESHIRE\Domain Computers
THESHIRE\certmanager
THESHIRE\certadmin
THESHIRE\Nested3
EnrollmentEndpoints : http://dc.theshire.local/certsrv/
NTLMEnrollmentEndpoints : http://dc.theshire.local/certsrv/
DACL : BUILTIN\Administrators (Allow) - ManageCA, ManageCertificates
THESHIRE\Domain Admins (Allow) - ManageCA, ManageCertificates
THESHIRE\Domain Users (Allow) - Read, Enroll
THESHIRE\Domain Computers (Allow) - Enroll
THESHIRE\Enterprise Admins (Allow) - ManageCA, ManageCertificates
THESHIRE\certmanager (Allow) - ManageCertificates, Enroll
THESHIRE\certadmin (Allow) - ManageCA, Enroll
THESHIRE\Nested3 (Allow) - ManageCertificates, Enroll
Misconfigurations : ESC8
[!] The above CA is misconfigured!