This post was made possible through the contributions of Joseph Spero and Thanassis Diogos.

In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled to enable automated workstation provisioning.

With access to the internal network, the attacker performed reconnaissance and identified a server running Active Directory Certificate Services responsible for Certificate Authority Web Enrollment and the Certificate Enrollment Web Service. Active Directory Certificate Services (AD CS) is a service within Microsoft Windows that enables organizations to issue digital certificates to authenticate users, workstations, and servers, digitally sign messages, or encrypt data. Once the attacker identified the AD CS server, they exploited CVE-2022–26923, which enabled the attacker to elevate their privileges to domain administrator. CVE-2022–26923 was patched by Microsoft in update KB5014754, however, due to the configuration of the Key Distribution Center, the exploit was not blocked and just logged as a warning.

With domain administrator privileges, the attacker attempted to execute a DCSync attack which extracts credentials from a domain controller (DC) by impersonating a domain controller and retrieving password data via domain replication. The DCSync attack was detected and blocked by the client’s security tooling and shortly after X-Force executed containment measures to eliminate the attacker’s access to the client’s network.

While CVE-2022–26923 is not a new vulnerability and a patch has been released by Microsoft in KB5014754 issues with the patch or compatibility issues may have prevented organizations from updating at the time. X-Force has observed that attackers have a renewed interested in AD CS abuse to elevate privileges without harvesting credentials through traditional means which are often detected by endpoint security tooling. X-Force recommends that all organizations confirm the changes in KB5014754 are set to enforce mode after performing an impact assessment of the change and implementing the recommendations at the end of this post.

Important Note regarding CVE-2022–26923:

While during this incident, the attacker exploited the vulnerability by supplying a subject alternative name of a domain admin, this vulnerability is exploitable through a different means that will be successful regardless of the implementation of KB5014754. As detailed by @ly4k_, in the article “Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923)”, there is an alternative route to privilege escalation through AD CS in fully patched environments. In a fully patched environment where web enrollment is enabled via HTTP and the AD CS certificate authority (CA) has a certificate template published that allows for client authentication and domain computer enrollment, an attacker can escalate privileges from a non-privileged user account to a privileged computer (such as a domain controller), via a NTLM relay attack against a HTTP AD CS endpoint.

It’s important for organizations to assess their AD CS environment and remove any vulnerable certificate templates, remove any unnecessary AD CS web enrollment endpoints, and harden AD CS infrastructure as per Microsoft’s guidance.

The remainder of this post will detail how the attacker was able to take control of the Active Directory domain through AD CS via exploitation of CVE-2022–26923.

AD CS overview

An Enterprise AD CS allows members of the domain to request and obtain certificates. Users create a certificate signing request (CSR) which contains details such as their public key, subject name, key type and length, etc. The CSR is then sent to the AD CS server which does some validation and then generates a certificate based on the settings defined in the certificate template used. Certificate templates are predefined settings for certificates that can be issued by the enterprise certificate authority (CA). Certificate templates include information such as what capabilities the certificate can be used for, how long it is valid, and several other settings.

Certificates provided by the AD CS are extremely critical from the security perspective because they can be used to verify a user’s identity (authentication) within the domain. Often the operation value of having an internal certification authority bypasses security controls and risk qualification.

CVE-2022–26923

Certificate templates are at the root of the exploit as they enable AD CS to review, filter, and issue certificates using predefined attributes. An attacker can abuse certificate templates with loose permissions (Domain Users or Authenticated Users) and especially those with the “Allow Enroll”, “CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT=1”, and “Client Authentication EKU” (extended key usage).

Allow Enroll — Allows any domain user or computer to create and submit CSRs with a specified template to ADCS certificate authority.

CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT=1 — Allows the requester submitting the CSR to specify a Subject Alternative Name (SAN) for the certificate. SANs allow for additional identities to be associated with a certificate beyond the identity specified within the subject of the request.

Client Authentication EKU — Allows the certificate that is issued in response to the CSR to be used for authentication.

Note: If non-privileged users are assigned Full Control of a certificate template, it is also vulnerable to privilege escalation as the properties of the template can be changed to meet any criteria.

The combination of these properties allows every domain user or computer to request a certificate that can be used to authenticate for any user within the domain (SAN), including any domain administrator and eventually take over an Active Directory domain.

CVE-2022–26923 exploitation review

Through the investigation, X-Force recovered evidence that the attacker created two CSRs using a compromised IT domain non-privileged user. However, the CSRs specified the SAN of a domain administrator. The CSRs were sent to the enterprise CA and given the template’s permissions the attacker was issued two certificates enabling them to authenticate as a domain administrator.

Once the attacker obtained the certificate with the SAN of the domain administrator account, the attacker attempted a DCSync attack against a domain controller. This method requests AD objects via standard AD replication processes targeting into password hashes and other sensitive information stored in AD.

CVE-2022–26923 recommendations

• Implement a vulnerability management program.
• Granular access control on certificate templates.
• Disable HTTP access for AD CS.
• Strict security management of the AD CS.

CVE-2022–26923 detection opportunities

IBM X-Force

If you are interested in learning more about detection and response, vulnerability management, or gap analysis through offensive security, X-Force provides world-class proactive and reactive services to ensure your organization achieves complete preparedness for zero-day attacks. To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here: IBM X-Force Scheduler.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.