ADCS Attacks Lab

Red Team Lab, Red Team Certifications, Red Team Trainings, Azure Pentesting, Azure Security

AD CS Attacks for Red and Blue Teams Lab Objective:

Identity plays a crucial role in security of an enterprise environment. Certainly, Identity is the new security perimeter. In an enterprise environment, Identity is usually managed by Active Directory or by Azure AD in case of a Hybrid Identity. An often-overlooked part of enterprise infrastructure is Active Directory Certificate Services (AD CS). AD CS is a Windows Server Role that implements Public Key Infrastructure and can be used for user authentication, machine authentication, document signing, email signing, file encryption and so much more. This makes AD CS a crucial part of Identity Management.

Unfortunately, not many professionals understand AD CS. This, of course, makes it harder to secure it against even the simplest attacks that may result in compromise of the entire enterprise environment.
We have years of experience of teaching classes at world’s leading organizations and hacker conferences and Red Team operations against some of the better enterprise environments. Drawing from that experience, we have created this course and lab that helps you in getting started with Attacking and Defending AD CS.

The AD CS Attacks for Red and Blue Teams lab provides course videos, learning aids and a meticulously created lab environment that helps you in understanding AD CS security in-depth. The lab is beginner friendly and you don’t need any prior experience with AD CS. We cover a lot of interesting topics like CA enumeration, Local Privilege Escalation, Persistence by abusing Certificates, Domain Privilege Escalation by - abusing CA, Certificate Templates, Abusing Certificates – Client Auth, EFS, Code Signing, SSH etc., Domain persistence after compromising CA, Network Pivoting by abusing VPN Certificates, Abusing certificates on Linux machines, Lateral movement to Azure and a lot more!

What's Included

Access to a lab environment (One/Two/Three months) with updated Server 2022 and Linux machines. Lab can be accessed using a web browser or VPN.
11+ hours of video course
Slides, Lab Manual, Walk-through videos and Diagrams as learning aid.
Lab manual for solving the labs. The student VM contains both Windows and Linux tools (using WSL).
One attempt to Certified Enterprise Security Professional – AD CS (CESP - ADCS) exam.

What will you Learn?

Performing Red Team operation or Penetration Test against a modern AD CS environment.
AD CS is not the only CA in the lab. Learn and practice attacks against other Certificate Services too!
Pivot to Azure by abusing Azure Certificate-based authentication.
Abuse VPN certificates to pivot to protected networks .
Abuse Trusted CAs across the AD forests.
Learn to execute attacks from both Windows and Linux.

Prerequisites for the lab

Basic understanding of attacking Active Directory (like CRTP)
Ability to use command line tools.

Purchase On Demand Lab

On Demand Lab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$249

On Demand Lab

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$379

On Demand Lab

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$499

Extension

30 DAYS
LAB EXTENSION
+
ONE CERTIFICATION EXAM ATTEMPT

$199

Reattempt

EXAM
REATTEMPT

$99

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Certificate Renewal - Only For Existing CESP - ADCS Certified Students

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

Extension

30 DAYS LAB ACCESS FOR CERT RENEWAL

$149

Reattempt

ADDITIONAL
RENEWAL EXAM

$29

Terms of Purchase and Use:

You can start your lab access anytime within 90 days of purchase
You need a Google account to access the lab portal adcs.enterprisesecurity.io
One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
The above lab is a shared environment and certain pre-specified machines will be off-limits
If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

Nikhil: Founder of Altered Security, BlackHat USA Trainer, DEF CON Speaker

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.

He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Azure AD, Active Directory attacks, defense and bypassing detection mechanisms.

Nikhil has trained more than 10000 security professionals in private trainings and at the world’s top information security conferences.

He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.

He is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/

Selected Conference Talks

1 Evading Microsoft ATA for Active Directory Domination (BlackHat USA 2017 and BruCON 2017)

3 PowerShell for Practical Purple Teaming
(x33fcon 2017)

5 RACE - Minimal Rights and ACE for Active Directory Dominance (DEF CON 2019)

2 AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well it Does it (BlackHat USA 2016)

4 PowerShell for Practical Purple
Teaming (DEF CON 21)

6 0wn-premises: Bypassing Microsoft Defender for Identity (BruCON 2022)

Purchase On Demand Lab

On Demand Lab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$249

On Demand Lab

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$379

On Demand Lab

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

$499

Extension

30 DAYS
LAB EXTENSION
+
ONE CERTIFICATION EXAM ATTEMPT

$199

Reattempt

EXAM
REATTEMPT

$99

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Certificate Renewal - Only For Existing CESP - ADCS Certified Students

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

Extension

30 DAYS LAB ACCESS FOR CERT RENEWAL

$149

Reattempt

ADDITIONAL
RENEWAL EXAM

$29

Terms of Purchase and Use:

You can start your lab access anytime within 90 days of purchase
You need a Google account to access the lab portal adcs.enterprisesecurity.io
One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each
Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security
The above lab is a shared environment and certain pre-specified machines will be off-limits
If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

Certified Enterprise Security Professional – AD CS (CESP – ADCS)

The Certified Enterprise Security Professional - AD CS (CESP - ADCS) is a fully hands-on certification.

To be certified, a student needs to solve an exam lab that contains fully patched Active Directory Certificate Services environment with fully patched Server 2022 machines within 24 hours. The student needs to submit a report detailing the methodology and steps used to compromise the exam lab. The certification challenges a student to compromise Active Directory Certificate Services by abusing misconfigurations, default settings, features and functionalities without relying on patchable exploits.

A certification holder has demonstrated the skills to understand and assess security of an AD CS environment. A non-exhaustive list of skills:

- AD CS Enumeration
- Stealing Certificates using Windows Crypto APIs, DPAPI, User store, Machine store and disk.
- Domain Privilege Escalation by abusing settings and misconfigurations like Enrollee Supplies Subject, Enrollment Agent EKUs, Overly permissive ACLs on Certificate Templates and CA, Abusing CA Roles, Relaying to HTTP Endpoints and more.
- Machine and User Persistence by requesting and renewing certificates
- Domain Persistence using Forged certificates, Stolen Trusted Root certificates and more.
- Abusing SSH CA Signers on Linux machines for Lateral Movement
- Abusing VPN with Certificate-based authentication to pivot to different networks.
- Pivoting to Azure by abusing Azure AD CBA.

To keep the certificate updated with changing skills and technologies, there is an expiry time of three years for it. Certificate renewal is free of cost.

In case you have to retake the exam, a re-attempt fee of $99 is applicable. There is a cool down period of one month before a student can appear in the exam again. The student will get an exam
environment from the pool of our different exam labs. After total 3 attempts (1 included with the lab and two additional attempts), a student must wait for a cool down period of 6 months.

Certificate Expiry and Renewal

To keep the certificate updated with changing skills and technologies, there is an expiry time of three years for it. The renewal exam is FREE before the certificate expires. CESP - ADCS can also be renewed by taking CRTE or CRTM. Please take a look at this blog post for more details: https://www.alteredsecurity.com/post/renewal-process-for-altered-security-certifications

Exam Structure

The students are provided access to a dedicated AD CS environment, that is fully patched and contains the latest Windows operating systems with configurations and privileges like a real enterprise environment.

To be successful, students must solve the challenges by enumerating the environment and carefully constructing attack paths. The students will need to understand how AD CS works, what could be the misconfigurations and attack them to solve the exam.

At the end of the exam, students need to submit a report detailing the how they solved the exam lab with evidence of compromise.

Certificate Benefits

A certificate holder has demonstrated the understanding of AD CS security. They can execute attacks against an enterprise environment containing AD CS. They are ready to integrate AD CS attacks in their TTPs and attack methodology. They also understand how the misconfigurations can be fixed and can help in securing an AD CS setup.

20 Learning Objectives, 25 Modules, 40 Flags, >130 Hours of Fun

I. AD CS Enumeration

Use built-in tools and external tools to enumerate the AD CS CA and its various template configurations.
Enumerate, understand, and find common and complex AD CS misconfigurations for abuse.
Explore interconnected attack chains as seen in enterprise environments.
Analyse certificates to parse and extract useful information from them.
Enumerate alternate Certification Authorities.

II. AD CS Local Privilege Escalation

Escalate privileges from Virtual Account to SYSTEM by abusing AD CS misconfigurations.
Hunt for local admin privileges on machines in the target domain using multiple methods.
Replay certificates to find elevated privileges on compromised machines.
Abuse Linux groups dynamically mapped to AD groups to escalate privileges on Linux.

III. AD CS Domain Privilege Escalation

Abuse SubjectAltName to escalate privileges to Domain / Enterprise Admins by abusing AD CS misconfigured templates.
Abuse misconfigured ACLs over AD CS templates and the CA server itself to escalate to Domain / Enterprise Admins.
Compromise forest by abusing overly permissive role assignments on the CA server.
Abuse certificate EKUs to execute interesting and fun attacks to escalate privileges.
Leverage CA Access Control roles to perform administrative actions and escalate domain privileges.
Setup and perform relaying attacks to CA endpoints to relay and impersonate a high privileged computer account.

IV. AD CS Pivoting and Lateral Movement

Pivot into air-gapped protected networks by abusing VPN certificates stolen from an alternate CA.
Reconstruct OpenVPN configuration files using stolen certificates to pivot to restricted networks.
Use Kerberos PKINIT and Schannel authentication to execute lateral movement.
Execute Pass-the-Cert for lateral movement to multiple machines.
Execute Shadow Credential attack to access remote machines with administrative privileges.
Perform S4U2Self to access other machines in the network.

V. AD CS Theft and Collection

Export certificates from the User / Machine Certificate Stores using CRYPTO WINAPIs.
Search for interesting certificates, keys, config files, tokens etc on-disk.
Exfiltrating certificates from the Certificate Store using DPAPI.
Certificate exfiltration on Linux from flat SQLite NSS databases.
Execute UnPAC-the-hash / Shadow Credentials attack to extract NTLM hashes of target accounts.
Extracting secrets like certificates and private keys from Vault.

VI. AD CS Local and Domain Persistence

User and Computer Account Persistence using new Certificate Requests.
User and Computer Account Persistence using Certificate Renewal before expiration.
Forge ANY domain certificate using stolen CA certificate and private keys.
Backdoor a CA server using malicious AD CS misconfigurations.
Use root token to persist with highest privileges on Vault.

VII. Abusing Cross Forest and External Trusted CAs

Escalate privileges to trusting forest using a stolen CA certificate and private key trusted for Cross Forest CA deployment.
Compromise Linux AD-joined machines by abusing SSH Signer services by an alternate CA.

VIII. Abusing Azure CBA for Lateral Movement and Persistence on Cloud

Forge certificates for ANY Azure AD user to access the Azure AD tenant (CBA) that trusts the compromised CA.
Replay forged or compromised certificates of Azure AD users for persistence.

IX. Evasion and Bypasses

Use Microsoft Signed binaries to sign attack tools.
Evade WDAC by abusing a certificate with CodeSigning EKU to execute attack tools on a target machine.
Use Microsoft Signed binaries to analyse encrypted files on a target machine.
Retrieve encrypted files protected by EFS (Encrypted File System) using a stolen certificate.
Bypass a JEA endpoint by abusing binaries that are allowed in the NoLanguageMode.
Bypass Kerberos Double Hop Issues using reverse shells and leveraging legitimate channels such as CredSPP.
Bypass Microsoft's CBA patch in FullEnforcement mode.
Obfuscate tools to bypass Windows Defender on the target fully patched Server 2022 machines.
Use in-memory execution of payloads to bypass Enhanced Logging and AV.

X. AD CS Defence - Prevention and Detection

Configure auditing using Group Policy and CA server settings.
Understand commonly generated Event IDs by AD CS.
Analyse logs generated by the attack techniques used in the lab.
Understand how to differentiate anomalous Event IDs from the normal ones.
Harden AD CS server and certificate templates to prevent common attacks.
Understand the benefits of CBA patch.
Use custom policy to stop bypass of the CBA patch.

adcs purchase

30 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$249

60 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$379

90 DAYS LAB ACCESS + LIFE TIME ACCESS TO COURSE MATERIAL + ONE CERTIFICATION EXAM ATTEMPT

$499

​30 DAYS LAB EXTENSION + ONE CERTIFICATION EXAM ATTEMPT

$199

EXAM REATTEMPT

$99

Exam Reattempt is only for existing or past students of this course who have already purchased this course in the past.

Course access and one renewal exam attempt is free. If you want to access the lab for practice or need another renewal exam attempt, purchase that from here.

30 DAYS LAB ACCESS FOR CERT RENEWAL

$149

ADDITIONAL RENEWAL EXAM

$29

Terms of Purchase and Use:

You can start your lab access anytime within 90 days of purchase

You need a Google account to access the lab portal adcs.enterprisesecurity.io

One Certification Exam attempt is included in the pricing. Additional exam attempts will be $99 each

Once connected over VPN, consider the lab to be a hostile environment and you are responsible for your computer's security

The above lab is a shared environment and certain pre-specified machines will be off-limits

If you want a dedicated lab just for yourself, please use the form in the Contact-Us tab

30 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

60 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

90 DAYS LAB ACCESS
+
LIFE TIME ACCESS TO COURSE MATERIAL
+
ONE CERTIFICATION EXAM ATTEMPT

30 DAYS
LAB EXTENSION
+
ONE CERTIFICATION EXAM ATTEMPT

EXAM
REATTEMPT

ADDITIONAL
RENEWAL EXAM