Skip to content

Mode1

``` _ _ _ _ _ _ _ _ _ _ | | | | |_/ |__ | | | | | || | |_____| |_____ | _ ______| | | | |__ | | | .--. .--. .--. /.-. '----------. /.-. '----------. /.-. '----------. \'-' .---'-''-'-' \'-' .--'--''-'-' \'-' .--'--'-''-' '--' '--' '--'

#### Auditing Issues

Technique : DETECT Name : horse-DC1-CA DistinguishedName : CN=horse-DC1-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=horse,DC=local Issue : Auditing is not fully enabled. Current value is 0 Fix : certutil -config 'DC1.horse.local\horse-DC1-CA' -setreg 'CA\AuditFilter' 127; Invoke-Command -ComputerName 'DC1.horse.local' -ScriptBlock { Get-Service -Name 'certsvc' | Restart-Service -Force }

#### ESC1 - Misconfigured Certificate Template

Technique : ESC1 Name : ESC1-Vulnerable DistinguishedName : CN=ESC1-Vulnerable,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=horse,DC=local Issue : HORSE\kari can enroll in this Client Authentication template using a SAN without Manager Approval Fix : Get-ADObject 'CN=ESC1-Vulnerable,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=horse,DC=local' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}

#### ESC2 - Misconfigured Certificate Template

Technique : ESC2 Name : ESC2-Vulnerable DistinguishedName : CN=ESC2-Vulnerable,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=horse,DC=local Issue : NT AUTHORITY\Authenticated Users can request a SubCA certificate without Manager Approval Fix : Get-ADObject 'CN=ESC2-Vulnerable,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=horse,DC=local' | Set-ADObject -Replace @{'msPKI-Certificate-Name-Flag' = 0}

#### ESC4 - Vulnerable Certificate Template Access Control

Technique : ESC4 Name : User DistinguishedName : CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=horse,DC=local Issue : NT AUTHORITY\Authenticated Users has GenericAll rights on this template Fix : [Available in experimental branch]

Technique : ESC4 Name : User DistinguishedName : CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=horse,DC=local Issue : HORSE\Domain Users has GenericAll rights on this template Fix : [Available in experimental branch]

#### ESC5 - Vulnerable PKI Object Access Control

Technique : ESC5 Name : horse-DC1-CA DistinguishedName : CN=horse-DC1-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=horse,DC=local Issue : HORSE\kari has CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner rights on this object Fix : [Available in experimental branch]

Technique : ESC5 Name : DC1 DistinguishedName : CN=DC1,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=horse,DC=local Issue : HORSE\kari has GenericAll rights on this object Fix : [Available in experimental branch]

#### ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2

Technique : ESC6 Name : horse-DC1-CA DistinguishedName : CN=horse-DC1-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=horse,DC=local Issue : EDITF_ATTRIBUTESUBJECTALTNAME2 is enabled. Fix : certutil -config DC1.horse.local\horse-DC1-CA -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2; Invoke-Command -ComputerName "DC1.horse.local" -ScriptBlock { Get-Service -Name 'certsvc' | Restart-Service -Force }

#### ESC8 - HTTP Enrollment Enabled

Technique : ESC8 Name : horse-DC1-CA DistinguishedName : CN=horse-DC1-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=horse,DC=local EnrollmentEndpoints : {http://DC1.horse.local/certsrv/} Issue : HTTP enrollment is enabled. Fix :