PSPKIAudit: PowerShell toolkit for AD CS auditing
PowerShell toolkit for auditing Active Directory Certificate Services (AD CS).
It is built on top of PKISolution‘s PSPKI toolkit (Microsoft Public License). This repo contains a newer version of PSPKI than what’s available in the PSGallery (see the PSPKI directory). Vadims Podans (the creator of PSPKI) graciously provided this version as it contains patches for several bugs.
This README is only meant as a starting point- for complete details and defensive guidance, please see the “Certified Pre-Owned” whitepaper.
The module contains the following main functions:
- Invoke-PKIAudit – Audits the current Forest’s AD CS settings, primarily analyzing the CA server and published templates for potential privilege escalation opportunities.
- Get-CertRequest – Examines a CA’s issued certificates by querying the CA’s database. The primary intention is to discover certificate requests that may have abused a certificate template privilege escalation vulnerability. In addition, if a user or computer is compromised, incident responders can use it to find certificates the CA server had issued to the compromised user/computer (which should then be revoked).
WARNING: This code is beta! We are confident that Invoke-PKIAudit will not impact the environment as the amount of data it queries is quite limited. We have not done rigorous testing with Get-CertRequest against typical CA server workloads. Get-CertRequest queries the CA’s database directly and may have to process thousands of results, which might impact performance.