Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).
@harmj0y and @tifkin_ are the primary authors of Certify and the the associated AD CS research (blog and whitepaper).
A command overview and comprehensive usage details can be found on the wiki.
Certify was released at Black Hat 2021 with our "Certified Pre-Owned: Abusing Active Directory Certificate Services" talk.
The TypeRefHash of the current Certify codebase is:
015430f861aaeabd8ede11f450ab472b345883a5b0f5c5d0f92ab8839686db15
The TypeLib GUID of Certify is 15cfadd8-5f6c-424b-81dc-c028312d025f.
This is reflected in the Yara rules currently in this repo.
See our whitepaper for prevention and detection guidance.
We are not planning on releasing binaries for Certify, so you will have to compile yourself :)
Certify has been built against .NET 4.7.2 and is compatible with Visual Studio 2022 Community Edition. Simply open up the project .sln, choose "Release", and build.
Sidenote: Running Certify Through PowerShellIf you want to run Certify in-memory through a PowerShell wrapper, first compile the Certify and base64-encode the resulting assembly:
[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Temp\Certify.exe")) | Out-File -Encoding ASCII C:\Temp\Certify.txt
Certify can then be loaded in a PowerShell script with the following (where "aa..." is replaced with the base64-encoded Certify assembly string):
$CertifyAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String("aa..."))
The Main() method and any arguments can then be invoked as follows:
[Certify.Program]::Main("enum-templates --filter-enabled --filter-vulnerable".Split())
Due to the way PSRemoting handles output, we need to redirect stdout to a string and return that instead. Luckily, Certify has a function to help with that.
If you follow the instructions in Sidenote: Running Certify Through PowerShell to create a Certify.ps1, append something like the following to the script:
[Certify.Program]::MainString("enum-templates --filter-enabled --filter-vulnerable")
You should then be able to run Certify over PSRemoting with something like the following:
$s = New-PSSession dc.theshire.local
Invoke-Command -Session $s -FilePath C:\Temp\Certify.ps1
Alternatively, Certify's /outfile:C:\FILE.txt argument will redirect all output streams to the specified file.
On the subject of public disclosure, we self-embargoed the release of our offensive tooling (Certify as well as ForgeCert) for ~45 days after we published our whitepaper in order to give organizations a chance to get a grip on the issues surrounding Active Directory Certificate Services. We also preemptively released some Yara rules/IOCs for both projects and released the defensive-focused PSPKIAudit PowerShell project along with the whitepaper. However, we have found that organizations and vendors have historically often not fixed issues or built detections for "theoretical" attacks until someone proves something is possible with a proof of concept.
Certify used a few resources found online as reference and inspiration:
The AD CS work was built on work from a number of others. The whitepaper has a complete treatment, but to summarize:
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4