I read with interest about Active Directory Certificate Services (AD CS) misconfigurations and the risks they present to my network. Security firm SpecterOps have developed an audit toolkit, written in PowerShell and dubbed PSPKIAudit, and will release two offensive tools, Certify and ForgeCert, in early August during the upcoming Black Hat USA 2021 conference. However, I wanted to get a head start to see if my domain was vulnerable to attacks that could result in account or domain takeover.
Steps to find AD CS misconfigurations
I followed these steps:
- With an elevated PowerShell prompt, install the Remote Server Administration Tools Certificate Services and Active Directory features with the command:
Get-WindowsCapability -Online -Name "Rsat.*" | where Name -match "CertificateServices|ActiveDIrectory" | Add-Windows
- Download PSPKIAudit and extract it to the folder PSPKIAudit with the commands:
Get-ChildItem -Recurse | Unblock-File
- Import PSPKIAudit with the command:
You may need to add the -Verbose parameter as you might receive this message: “WARNING: The names of some imported commands from the module ‘PSPKIAudit’ include unapproved verbs that might make them less discoverable.” To find the commands with unapproved verbs, run the Import-Module command again with the -Verbose parameter.
PS C:PSPKIAudit> Import-Module .PSPKIAudit.psm1 -Verbose
For a list of approved verbs, type “Get-Verb”. You will then be alerted to verbs that are less discoverable.
- Run this command or export it to a .csv file to review your organization:
Invoke-PKIAudit [-CAComputerName CA.DOMAIN.COM | -CAName X-Y-Z]
It performs auditing checks for your existing AD CS environment, including enumerating various certificate authority (CA) and certificate template settings. Or you can merely type in Invoke-PKIAudit and review the output provided.