Stifle : A Post-Exploitation Tool For Explicit Certificate Mapping In Active Directory

Stifle is a specialized .NET utility designed for post-exploitation scenarios, enabling attackers or penetration testers to exploit explicit certificate mapping in Active Directory (AD).

This tool leverages the altSecurityIdentities attribute of AD objects, allowing authentication as a target object using a pre-obtained certificate.

Explicit certificate mappings are a key aspect of Active Directory Certificate Services (ADCS), which facilitates secure communication and authentication through public key infrastructure (PKI).

Functionality And Use

Stifle simplifies the process of adding or clearing explicit certificate mappings on AD objects. Its primary features include:

• Adding Explicit Certificate Mapping: This involves writing the altSecurityIdentities attribute with a certificate and its password. For example:

  Stifle.exe add /object:target /certificate:MIIMrQI... /password:P@ssw0rd

• Clearing Explicit Certificate Mapping: Removes the mapping by clearing the altSecurityIdentities attribute:

  Stifle.exe clear /object:target

Workflow Overview

1. Requesting a Certificate: Use tools like Certify.exe to request a machine account certificate from ADCS. The certificate must be mapped to the target object.

   Certify.exe request /ca:lab.lan\lab-dc01-ca /template:Machine /machine

2. Certificate Conversion: Convert the obtained certificate to base64 .pfx format using OpenSSL:

   openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export | base64 -w 0

3. Mapping with Stifle: Add the explicit mapping by providing the converted certificate and password to Stifle.
4. Authentication with Rubeus: After mapping, request a Kerberos Ticket Granting Ticket (TGT) using PKINIT authentication via Rubeus:

   Rubeus.exe asktgt /user:target /certificate:MIIMrQI... /password:P@ssw0rd

Explicit certificate mapping in AD allows associating certificates with user or computer accounts for authentication purposes. While this capability enhances security, it also introduces risks when misused.

Attackers can exploit write access to the altSecurityIdentities attribute to impersonate accounts, as demonstrated by techniques like ESC14.

Stifle addresses gaps in existing tooling by providing a streamlined .NET-based solution for exploiting this attack vector.

However, its misuse underscores the importance of securing ADCS configurations and monitoring access to sensitive attributes like altSecurityIdentities.