pingcastle icon indicating copy to clipboard operation
pingcastle copied to clipboard
verified publisher icon vletoux

Missing Vuln Cert Template check for Domain Computers

Open cmahrl opened this issue 1 year ago • 1 comments

PingCastle does not report when computers are allowed to enroll for vulnerable certificate templates, so a direct critical path to DA remains undetected. e.g.:

  1. Flag: EnrolleSuppliesSubject
  2. EKU: Client / Server Authentication
  3. Enrolement Rights: Domain Computers
  4. PWN

cmahrl avatar Mar 22 '24 10:03 cmahrl

Hi there, Thanks for reporting this. This specific case is captured by PingCastle but only when the msds-MachineAccountQuota is not set to 0, which makes it even easier to exploit. I think Domain Computers on its own is a valid finding too so I have added this to the backlog for us to implement.

JoeDibley avatar Sep 11 '24 15:09 JoeDibley