Will Schroeder, profile picture
Uploaded byWill Schroeder
1,619 views

Certified Pre-Owned

The document discusses the exploitative potential of Active Directory Certificate Services (AD CS), detailing how attackers can misuse certificate templates and authentication methods for credential theft and domain escalation. It highlights various attack scenarios, including 'active' and 'passive' certificate theft, alongside possible exploits available through misconfigured certificate templates and services. Additionally, it emphasizes the importance of security measures, with references to a comprehensive whitepaper for further information.

Embed presentation

Downloaded 24 times
Certified Pre-Owned Abusing Active Directory Certificate Services 1 @harmj0y @tifkin_
tl;dr ➜ Background ➜ Account Persistence ➜ Domain Escalation ➜ Persistence with “Golden” Certificates 2
Active Directory Certificate Services ➜ AD CS is a server role that functions as Microsoft’s public key infrastructure (PKI) implementation - Used by organization for smart cards, SSL certificates, code signing, etc. ➜ Clients send certificate signing requests (CSRs) to an (enterprise) CA, which signs issued certificates using the private key for the CA certificate 3
NTAuthCertificates 4 This is the root of domain-based certificate auth!
Certificate Enrollment 5
Certificate Templates ➜ CAs issue certificates with “blueprint” settings defined by certificate templates (stored as AD objects) 6
Subject Alternative Names (SANs) 7 ➜ Allows additional identities to be bound to a certificate beyond the Subject ➜ Can be dangerous when combined with certificates that allow domain authentication! - AD maps certificates to user accounts using the SAN
Aren’t Smartcards Required? 8 ➜ No! Rubeus and Kekeo support Kerberos authentication using certificates via PKINIT - Schannel authentication also supports certificates (e.g., LDAPS)
Account Persistence a.k.a. Long Term LSASS-less Credential Theft 9
“Passive” Certificate Theft 10 ➜ If hardware protection is not used, existing user/machine certificates are stored using DPAPI - Mimikatz and SharpDPAPI can steal such certs/private keys
“Active” Certificate Theft ➜ Users/machines can enroll in any template they have Enroll permissions for - By default the User and Machine templates are available ➜ We want a template that allows for AD authentication - Lets us get a user’s TGT (and NTLM!) - Lets us compromise a computer through RBCD/S4U2Self ➜ We can enroll through DCOM (Certify), RPC, and AD CS web endpoints 11
12
Offensive Advantages 13 ➜ Doesn’t touch lsass.exe’s memory! ➜ Doesn’t need elevation (for user contexts)! ➜ Few existing detection methods! (*currently* lesser known technique : ) ➜ Separate credential material from passwords - Works even if an account changes its password! - Long lifetime. By default, User/Machine templates issue certificates valid for 1 year.
Domain Escalation Domain User → Enterprise Admin 14
Template Misconfigurations: General Requirements ➜ The Enterprise CA grants low-privileged users enrollment rights ➜ Low privileged users can enroll in the template - Specified by the certificate template AD object’s security descriptor ➜ Manager approval is disabled ➜ No “authorized signatures” are required 15
Key Misconfiguration: Templates that Process User-Supplied SANs 1. An attacker can specify an arbitrary SAN when requesting a certificate 2. The certificate enables domain authentication 3. The CA creates and signs a certificate using the attacker-supplied SAN 16 Then the attacker can become any account in the domain!
Escalation Scenarios 17 ➜ ESC1 - General Requirements - [PKINIT] Client Authentication, Smart Card Logon, Any Purpose, or No EKU (i.e., EKU allows auth) - The ENROLLEE_SUPPLIES_SUBJECT flag ➜ ESC2 - General requirements - The Any Purpose EKU or No EKU ➜ ESC3 - General requirements + no “enrollment agent restrictions” - The Certificate Request Agent EKU - Enrollment rights to template with a few other requirements
18
Escalation Scenarios (cont.) 19 ➜ ESC4 - Vulnerable certificate template access control ➜ ESC5 - Vulnerable PKI object access control ➜ ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 flag set on a CA - (Allows CSRs for ANY template to specify a SAN!) ➜ ESC7 - Vulnerable CA access control - The ManageCA permission can be used to fixate ESC6
ESC8 - NTLM Relay to HTTP Enrollment Endpoints 20 ➜ AD CS web enrollment endpoints are optional roles (but commonly installed) - All of these endpoints are vulnerable to NTLM relay! ➜ If there is a user-enrollable auth template: - Extends the window for user NTLM relay scenarios ➜ If there is a machine-enrollable auth template: - Combine with printer bug for coerced auth - I.e., take over ANY system in the domain running the spooler service!
21
“ “We determined your finding is valid but does not meet our bar for a security update release.” -MSRC 22
Domain Persistence “One Certificate To Rule Them All” 23
Stealing CA Private Keys 24 ➜ If the private key for a CA’s certificate is not protected by a TPM/HSM, it’s protected by DPAPI - CAs sign issued certificates with this key ➜ If we can steal private key of any CA cert in NTAuthCertificates, we can forge our own certificates as anyone in the domain! ➜ These forged certs can’t be revoked! - The certs are never actually “issued”! - Forged certs work as long as the CA cert is still valid :)
25
Bonus: PKINIT -> NTLM 26 ➜ As part of [MS-PKCA], for backwards compatibility a legitimate certificate can be used to retrieve the associated user/computer’s NTLM hash - First publicly/offensively detailed by @gentilkiwi - Recently integrated into Rubeus by @_ethicalchaos_ and @exploitph ➜ If we combine this with “golden” certificates, we have an alternative way to obtain NTLM credentials for any active user/computer (i.e., an alternative to DCSync)
27
Summary 28 ➜ AD CS has a lot of abuse potential! - User credential theft/machine persistence - Domain escalation and persistence ➜ Our 140 page whitepaper has complete details - Includes extensive defensive information and additional architectural considerations - https://bit.ly/3xLziQ9 ➜ Certify and ForgeCert are now live in the GhostPack GitHub organization, along with PSPKIAudit for auditing your environment
Acknowledgements 29 ➜ Previous work (see the paper for complete details): - Benjamin Delpy, PKISolutions, Christoph Falta, CQURE, Keyfactor, @Elkement, Carl Sörqvist, Brad Hill ➜ Ceri Coburn and Charlie Clark for PKINIT + U2U Rubeus additions ➜ Special thanks to Mark Gamache for collaborating with us on parts of this work
Questions? 30

More Related Content

PDF
ReCertifying Active Directory
byWill Schroeder
 
PDF
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PDF
DerbyCon 2019 - Kerberoasting Revisited
byWill Schroeder
 
PDF
Ace Up the Sleeve
byWill Schroeder
 
PDF
0wn-premises: Bypassing Microsoft Defender for Identity
byNikhil Mittal
 
PDF
Carlos García - Pentesting Active Directory Forests [rooted2019]
byRootedCON
 
PDF
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
PPTX
(Ab)Using GPOs for Active Directory Pwnage
byPetros Koutroumpis
 
ReCertifying Active Directory
byWill Schroeder
 
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
byWill Schroeder
 
Ace Up the Sleeve
byWill Schroeder
 
0wn-premises: Bypassing Microsoft Defender for Identity
byNikhil Mittal
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
byRootedCON
 
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
(Ab)Using GPOs for Active Directory Pwnage
byPetros Koutroumpis
 

What's hot

PDF
[오픈소스컨설팅]Zabbix Installation and Configuration Guide
byJi-Woong Choi
 
PDF
Hashicorp Vault: Open Source Secrets Management at #OPEN18
byKangaroot
 
PPTX
Vault - Secret and Key Management
byAnthony Ikeda
 
PPTX
Here Be Dragons: The Unexplored Land of Active Directory ACLs
byAndy Robbins
 
PDF
I Have the Power(View)
byWill Schroeder
 
PPTX
LDAP - Lightweight Directory Access Protocol
byS. Hasnain Raza
 
PPTX
Microsoft Offical Course 20410C_02
bygameaxt
 
PPTX
Hashicorp Vault ppt
byShrey Agarwal
 
PDF
Bonnes pratiques anti-DDOS
byJulien SIMON
 
PPT
LDAP
byKhemnath Chauhan
 
PDF
Kubernetes - A Comprehensive Overview
byBob Killen
 
PPTX
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
byoholiab
 
PDF
Course 102: Lecture 20: Networking In Linux (Basic Concepts)
byAhmed El-Arabawy
 
PPTX
Mod security
byShruthi Kamath
 
PPTX
Vault
byJean-Philippe Bélanger
 
PPTX
Introduction to ansible
byOmid Vahdaty
 
PPTX
Kubernetes #6 advanced scheduling
byTerry Cho
 
PDF
Dockerfile Tutorial with Example | Creating your First Dockerfile | Docker Tr...
byEdureka!
 
PPT
Active directory and application
byaminpathan11
 
PDF
Docker Commands With Examples | Docker Tutorial | DevOps Tutorial | Docker Tr...
byEdureka!
 
[오픈소스컨설팅]Zabbix Installation and Configuration Guide
byJi-Woong Choi
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
byKangaroot
 
Vault - Secret and Key Management
byAnthony Ikeda
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
byAndy Robbins
 
I Have the Power(View)
byWill Schroeder
 
LDAP - Lightweight Directory Access Protocol
byS. Hasnain Raza
 
Microsoft Offical Course 20410C_02
bygameaxt
 
Hashicorp Vault ppt
byShrey Agarwal
 
Bonnes pratiques anti-DDOS
byJulien SIMON
 
LDAP
byKhemnath Chauhan
 
Kubernetes - A Comprehensive Overview
byBob Killen
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
byoholiab
 
Course 102: Lecture 20: Networking In Linux (Basic Concepts)
byAhmed El-Arabawy
 
Mod security
byShruthi Kamath
 
Vault
byJean-Philippe Bélanger
 
Introduction to ansible
byOmid Vahdaty
 
Kubernetes #6 advanced scheduling
byTerry Cho
 
Dockerfile Tutorial with Example | Creating your First Dockerfile | Docker Tr...
byEdureka!
 
Active directory and application
byaminpathan11
 
Docker Commands With Examples | Docker Tutorial | DevOps Tutorial | Docker Tr...
byEdureka!
 

Similar to Certified Pre-Owned

PPTX
Troopers 19 - I am AD FS and So Can You
byDouglas Bienstock
 
PPTX
MCSA 70-412 Chapter 06
byComputer Networking
 
PDF
Hacktive Directory Forensics - HackCon18, Oslo
byYossi Sassi
 
PPTX
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
bykieranjacobsen
 
PPTX
AD Basic and Azure AD.pptx
bySumTingWong8
 
PDF
Tips to Remediate your Vulnerability Management Program
byBeyondTrust
 
PPTX
17 roles of window server 2008 r2
byIGZ Software house
 
PDF
AD authentication with be eID
byAndre Debilloez
 
PPTX
[HUN][Hackersuli] Abusing Active Directory Certificate Services
byhackersuli
 
PDF
(eBook PDF) 70-411 Administering Windows Server 2012 R2
byilongolestos
 
PDF
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
byCloudVillage
 
DOC
Ad cs-step-by-step-guide
byValentín Sánchez de Movellán
 
PDF
Tech t18
bySelectedPresentations
 
PPT
Session 10 Tp 10
bygithe26200
 
PDF
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
byKumton Suttiraksiri
 
PPTX
Kent King - PKI: Do You Know Your Exposure?
bycentralohioissa
 
PPT
Introduction to distributed security concepts and public key infrastructure m...
byInformation Security Awareness Group
 
PDF
Easing the Pains of Certificate Management
byEntrust Datacard
 
PPTX
Escalation defenses ad guardrails every company should deploy
byDavid Rowe
 
PPTX
Cloud Security Fundamentals - St. Louis O365 Users Group
byJ.D. Wade
 
Troopers 19 - I am AD FS and So Can You
byDouglas Bienstock
 
MCSA 70-412 Chapter 06
byComputer Networking
 
Hacktive Directory Forensics - HackCon18, Oslo
byYossi Sassi
 
Infrastructure Saturday 2011 - Understanding PKI and Certificate Services
bykieranjacobsen
 
AD Basic and Azure AD.pptx
bySumTingWong8
 
Tips to Remediate your Vulnerability Management Program
byBeyondTrust
 
17 roles of window server 2008 r2
byIGZ Software house
 
AD authentication with be eID
byAndre Debilloez
 
[HUN][Hackersuli] Abusing Active Directory Certificate Services
byhackersuli
 
(eBook PDF) 70-411 Administering Windows Server 2012 R2
byilongolestos
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
byCloudVillage
 
Ad cs-step-by-step-guide
byValentín Sánchez de Movellán
 
Tech t18
bySelectedPresentations
 
Session 10 Tp 10
bygithe26200
 
04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019
byKumton Suttiraksiri
 
Kent King - PKI: Do You Know Your Exposure?
bycentralohioissa
 
Introduction to distributed security concepts and public key infrastructure m...
byInformation Security Awareness Group
 
Easing the Pains of Certificate Management
byEntrust Datacard
 
Escalation defenses ad guardrails every company should deploy
byDavid Rowe
 
Cloud Security Fundamentals - St. Louis O365 Users Group
byJ.D. Wade
 

More from Will Schroeder

PDF
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PDF
A Year in the Empire
byWill Schroeder
 
PDF
Not a Security Boundary
byWill Schroeder
 
PDF
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
byWill Schroeder
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
PDF
SpecterOps Webinar Week - Kerberoasting Revisisted
byWill Schroeder
 
PPTX
Catch Me If You Can: PowerShell Red vs Blue
byWill Schroeder
 
PDF
A Case Study in Attacking KeePass
byWill Schroeder
 
PPTX
I hunt sys admins 2.0
byWill Schroeder
 
PPTX
The Travelling Pentester: Diaries of the Shortest Path to Compromise
byWill Schroeder
 
PPTX
Bridging the Gap
byWill Schroeder
 
PPTX
Defending Your "Gold"
byWill Schroeder
 
PPTX
Trusts You Might Have Missed
byWill Schroeder
 
PPTX
Building an Empire with PowerShell
byWill Schroeder
 
PDF
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
byWill Schroeder
 
PDF
Building an EmPyre with Python
byWill Schroeder
 
PDF
Trusts You Might Have Missed - 44con
byWill Schroeder
 
PPTX
PSConfEU - Building an Empire with PowerShell
byWill Schroeder
 
PPTX
Drilling deeper with Veil's PowerTools
byWill Schroeder
 
PDF
Nemesis - SAINTCON.pdf
byWill Schroeder
 
The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
A Year in the Empire
byWill Schroeder
 
Not a Security Boundary
byWill Schroeder
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
byWill Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
SpecterOps Webinar Week - Kerberoasting Revisisted
byWill Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
byWill Schroeder
 
A Case Study in Attacking KeePass
byWill Schroeder
 
I hunt sys admins 2.0
byWill Schroeder
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
byWill Schroeder
 
Bridging the Gap
byWill Schroeder
 
Defending Your "Gold"
byWill Schroeder
 
Trusts You Might Have Missed
byWill Schroeder
 
Building an Empire with PowerShell
byWill Schroeder
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
byWill Schroeder
 
Building an EmPyre with Python
byWill Schroeder
 
Trusts You Might Have Missed - 44con
byWill Schroeder
 
PSConfEU - Building an Empire with PowerShell
byWill Schroeder
 
Drilling deeper with Veil's PowerTools
byWill Schroeder
 
Nemesis - SAINTCON.pdf
byWill Schroeder
 

Recently uploaded

PDF
The Guide on how to pray the rosary and the mysteries.pdf
byGianneCarloIway
 
PPTX
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 
PDF
Meta (Facebook) Extracts Hundreds of Billions of Wealth from European Citizens
byJulieMeyer42
 
PPTX
Cloud Computing ppt - SP.pptx by ankit kumar gurjar
byankitingame
 
PDF
Why Some Online Profiles Cannot Be Found in Search Results
bySocial Searcher
 
PDF
Guide: Essential Google Search Operators
bySocial Searcher
 
PDF
Oracle Services Company in Riyadh - Grey Space Computing
byseoconsultantandy
 
PDF
Mastering ROS 2 for Robotics Programming.pdf
byssuser4e6c051
 
PPTX
7G (7th generation of technology) seminar presentation
bymitalijally6
 
PPT
The Digital Opportunities Taskforce: How to Govern the Internet
byJeffrey Hart
 
The Guide on how to pray the rosary and the mysteries.pdf
byGianneCarloIway
 
Universidad Internacional Villanueva Transcripts
bynxv6x4gd42
 
Meta (Facebook) Extracts Hundreds of Billions of Wealth from European Citizens
byJulieMeyer42
 
Cloud Computing ppt - SP.pptx by ankit kumar gurjar
byankitingame
 
Why Some Online Profiles Cannot Be Found in Search Results
bySocial Searcher
 
Guide: Essential Google Search Operators
bySocial Searcher
 
Oracle Services Company in Riyadh - Grey Space Computing
byseoconsultantandy
 
Mastering ROS 2 for Robotics Programming.pdf
byssuser4e6c051
 
7G (7th generation of technology) seminar presentation
bymitalijally6
 
The Digital Opportunities Taskforce: How to Govern the Internet
byJeffrey Hart
 

Certified Pre-Owned

  • 1.
    Certified Pre-Owned Abusing ActiveDirectory Certificate Services 1 @harmj0y @tifkin_
  • 2.
    tl;dr ➜ Background ➜ AccountPersistence ➜ Domain Escalation ➜ Persistence with “Golden” Certificates 2
  • 3.
    Active Directory CertificateServices ➜ AD CS is a server role that functions as Microsoft’s public key infrastructure (PKI) implementation - Used by organization for smart cards, SSL certificates, code signing, etc. ➜ Clients send certificate signing requests (CSRs) to an (enterprise) CA, which signs issued certificates using the private key for the CA certificate 3
  • 4.
    NTAuthCertificates 4 This is theroot of domain-based certificate auth!
  • 5.
  • 6.
    Certificate Templates ➜ CAsissue certificates with “blueprint” settings defined by certificate templates (stored as AD objects) 6
  • 7.
    Subject Alternative Names(SANs) 7 ➜ Allows additional identities to be bound to a certificate beyond the Subject ➜ Can be dangerous when combined with certificates that allow domain authentication! - AD maps certificates to user accounts using the SAN
  • 8.
    Aren’t Smartcards Required? 8 ➜No! Rubeus and Kekeo support Kerberos authentication using certificates via PKINIT - Schannel authentication also supports certificates (e.g., LDAPS)
  • 9.
    Account Persistence a.k.a. LongTerm LSASS-less Credential Theft 9
  • 10.
    “Passive” Certificate Theft 10 ➜If hardware protection is not used, existing user/machine certificates are stored using DPAPI - Mimikatz and SharpDPAPI can steal such certs/private keys
  • 11.
    “Active” Certificate Theft ➜Users/machines can enroll in any template they have Enroll permissions for - By default the User and Machine templates are available ➜ We want a template that allows for AD authentication - Lets us get a user’s TGT (and NTLM!) - Lets us compromise a computer through RBCD/S4U2Self ➜ We can enroll through DCOM (Certify), RPC, and AD CS web endpoints 11
  • 12.
  • 13.
    Offensive Advantages 13 ➜ Doesn’ttouch lsass.exe’s memory! ➜ Doesn’t need elevation (for user contexts)! ➜ Few existing detection methods! (*currently* lesser known technique : ) ➜ Separate credential material from passwords - Works even if an account changes its password! - Long lifetime. By default, User/Machine templates issue certificates valid for 1 year.
  • 14.
    Domain Escalation Domain User→ Enterprise Admin 14
  • 15.
    Template Misconfigurations: General Requirements ➜The Enterprise CA grants low-privileged users enrollment rights ➜ Low privileged users can enroll in the template - Specified by the certificate template AD object’s security descriptor ➜ Manager approval is disabled ➜ No “authorized signatures” are required 15
  • 16.
    Key Misconfiguration: Templates thatProcess User-Supplied SANs 1. An attacker can specify an arbitrary SAN when requesting a certificate 2. The certificate enables domain authentication 3. The CA creates and signs a certificate using the attacker-supplied SAN 16 Then the attacker can become any account in the domain!
  • 17.
    Escalation Scenarios 17 ➜ ESC1 -General Requirements - [PKINIT] Client Authentication, Smart Card Logon, Any Purpose, or No EKU (i.e., EKU allows auth) - The ENROLLEE_SUPPLIES_SUBJECT flag ➜ ESC2 - General requirements - The Any Purpose EKU or No EKU ➜ ESC3 - General requirements + no “enrollment agent restrictions” - The Certificate Request Agent EKU - Enrollment rights to template with a few other requirements
  • 18.
  • 19.
    Escalation Scenarios (cont.) 19 ➜ESC4 - Vulnerable certificate template access control ➜ ESC5 - Vulnerable PKI object access control ➜ ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 flag set on a CA - (Allows CSRs for ANY template to specify a SAN!) ➜ ESC7 - Vulnerable CA access control - The ManageCA permission can be used to fixate ESC6
  • 20.
    ESC8 - NTLMRelay to HTTP Enrollment Endpoints 20 ➜ AD CS web enrollment endpoints are optional roles (but commonly installed) - All of these endpoints are vulnerable to NTLM relay! ➜ If there is a user-enrollable auth template: - Extends the window for user NTLM relay scenarios ➜ If there is a machine-enrollable auth template: - Combine with printer bug for coerced auth - I.e., take over ANY system in the domain running the spooler service!
  • 21.
  • 22.
    “ “We determined your findingis valid but does not meet our bar for a security update release.” -MSRC 22
  • 23.
  • 24.
    Stealing CA PrivateKeys 24 ➜ If the private key for a CA’s certificate is not protected by a TPM/HSM, it’s protected by DPAPI - CAs sign issued certificates with this key ➜ If we can steal private key of any CA cert in NTAuthCertificates, we can forge our own certificates as anyone in the domain! ➜ These forged certs can’t be revoked! - The certs are never actually “issued”! - Forged certs work as long as the CA cert is still valid :)
  • 25.
  • 26.
    Bonus: PKINIT ->NTLM 26 ➜ As part of [MS-PKCA], for backwards compatibility a legitimate certificate can be used to retrieve the associated user/computer’s NTLM hash - First publicly/offensively detailed by @gentilkiwi - Recently integrated into Rubeus by @_ethicalchaos_ and @exploitph ➜ If we combine this with “golden” certificates, we have an alternative way to obtain NTLM credentials for any active user/computer (i.e., an alternative to DCSync)
  • 27.
  • 28.
    Summary 28 ➜ AD CShas a lot of abuse potential! - User credential theft/machine persistence - Domain escalation and persistence ➜ Our 140 page whitepaper has complete details - Includes extensive defensive information and additional architectural considerations - https://bit.ly/3xLziQ9 ➜ Certify and ForgeCert are now live in the GhostPack GitHub organization, along with PSPKIAudit for auditing your environment
  • 29.
    Acknowledgements 29 ➜ Previous work(see the paper for complete details): - Benjamin Delpy, PKISolutions, Christoph Falta, CQURE, Keyfactor, @Elkement, Carl Sörqvist, Brad Hill ➜ Ceri Coburn and Charlie Clark for PKINIT + U2U Rubeus additions ➜ Special thanks to Mark Gamache for collaborating with us on parts of this work
  • 30.