This post was made possible through the contributions of Joseph Spero and Thanassis Diogos.

In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled to enable automated workstation provisioning.

With access to the internal network, the attacker performed reconnaissance and identified a server running Active Directory Certificate Services responsible for Certificate Authority Web Enrollment and the Certificate Enrollment Web Service. Active Directory Certificate Services (AD CS) is a service within Microsoft Windows that enables organizations to issue digital certificates to authenticate users, workstations, and servers, digitally sign messages, or encrypt data. Once the attacker identified the AD CS server, they exploited CVE-2022–26923, which enabled the attacker to elevate their privileges to domain administrator. CVE-2022–26923 was patched by Microsoft in update KB5014754, however, due to the configuration of the Key Distribution Center, the exploit was not blocked and just logged as a warning.

With domain administrator privileges, the attacker attempted to execute a DCSync attack which extracts credentials from a domain controller (DC) by impersonating a domain controller and retrieving password data via domain replication. The DCSync attack was detected and blocked by the client’s security tooling and shortly after X-Force executed containment measures to eliminate the attacker’s access to the client’s network.

While CVE-2022–26923 is not a new vulnerability and a patch has been released by Microsoft in KB5014754 issues with the patch or compatibility issues may have prevented organizations from updating at the time. X-Force has observed that attackers have a renewed interested in AD CS abuse to elevate privileges without harvesting credentials through traditional means which are often detected by endpoint security tooling. X-Force recommends that all organizations confirm the changes in KB5014754 are set to enforce mode after performing an impact assessment of the change and implementing the recommendations at the end of this post.

Important Note regarding CVE-2022–26923:

While during this incident, the attacker exploited the vulnerability by supplying a subject alternative name of a domain admin, this vulnerability is exploitable through a different means that will be successful regardless of the implementation of KB5014754. As detailed by @ly4k_, in the article “Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923)”, there is an alternative route to privilege escalation through AD CS in fully patched environments. In a fully patched environment where web enrollment is enabled via HTTP and the AD CS certificate authority (CA) has a certificate template published that allows for client authentication and domain computer enrollment, an attacker can escalate privileges from a non-privileged user account to a privileged computer (such as a domain controller), via a NTLM relay attack against a HTTP AD CS endpoint.

It’s important for organizations to assess their AD CS environment and remove any vulnerable certificate templates, remove any unnecessary AD CS web enrollment endpoints, and harden AD CS infrastructure as per Microsoft’s guidance.

The remainder of this post will detail how the attacker was able to take control of the Active Directory domain through AD CS via exploitation of CVE-2022–26923.

AD CS overview

An Enterprise AD CS allows members of the domain to request and obtain certificates. Users create a certificate signing request (CSR) which contains details such as their public key, subject name, key type and length, etc. The CSR is then sent to the AD CS server which does some validation and then generates a certificate based on the settings defined in the certificate template used. Certificate templates are predefined settings for certificates that can be issued by the enterprise certificate authority (CA). Certificate templates include information such as what capabilities the certificate can be used for, how long it is valid, and several other settings.

Certificates provided by the AD CS are extremely critical from the security perspective because they can be used to verify a user’s identity (authentication) within the domain. Often the operation value of having an internal certification authority bypasses security controls and risk qualification.

More from X-Force

CVE-2022–26923

Certificate templates are at the root of the exploit as they enable AD CS to review, filter, and issue certificates using predefined attributes. An attacker can abuse certificate templates with loose permissions (Domain Users or Authenticated Users) and especially those with the “Allow Enroll”, “CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT=1”, and “Client Authentication EKU” (extended key usage).

Allow Enroll — Allows any domain user or computer to create and submit CSRs with a specified template to ADCS certificate authority.

CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT=1 — Allows the requester submitting the CSR to specify a Subject Alternative Name (SAN) for the certificate. SANs allow for additional identities to be associated with a certificate beyond the identity specified within the subject of the request.

Client Authentication EKU — Allows the certificate that is issued in response to the CSR to be used for authentication.

Note: If non-privileged users are assigned Full Control of a certificate template, it is also vulnerable to privilege escalation as the properties of the template can be changed to meet any criteria.

The combination of these properties allows every domain user or computer to request a certificate that can be used to authenticate for any user within the domain (SAN), including any domain administrator and eventually take over an Active Directory domain.

CVE-2022–26923 exploitation review

Through the investigation, X-Force recovered evidence that the attacker created two CSRs using a compromised IT domain non-privileged user. However, the CSRs specified the SAN of a domain administrator. The CSRs were sent to the enterprise CA and given the template’s permissions the attacker was issued two certificates enabling them to authenticate as a domain administrator.

Once the attacker obtained the certificate with the SAN of the domain administrator account, the attacker attempted a DCSync attack against a domain controller. This method requests AD objects via standard AD replication processes targeting into password hashes and other sensitive information stored in AD.

CVE-2022–26923 recommendations

  • Implement a vulnerability management program.
  • Granular access control on certificate templates.
  • Disable HTTP access for AD CS.
  • Strict security management of the AD CS.

CVE-2022–26923 detection opportunities

Log Source Event ID Description
System 39 (41 for Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) Level: Warning — Indicative that a user performed successful authentication via a certificate in which a subject could not be securely mapped to a user
System 39 (41 for Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) Level: Error — Indicative that a user attempted authentication with a certificate in which a subject could not be securely mapped to a user
System 40 (48 for Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) Level: Error — Indicative that a user attempted authentication with a certificate in which a subject could not be securely mapped to a user, and the certificate predated the user it was mapped to
System 41 (49 for Windows Server 2008 R2 SP1 and Windows Server 2008 SP2) Level: Error — Indicative that a user attempted authentication with a certificate containing a SID different than the user it was mapped to
Scroll to view full table

IBM X-Force

If you are interested in learning more about detection and response, vulnerability management, or gap analysis through offensive security, X-Force provides world-class proactive and reactive services to ensure your organization achieves complete preparedness for zero-day attacks. To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here: IBM X-Force Scheduler.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Defensive Security

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today