JoeDibley
commented
2 months ago Hi there, Thanks for reporting this. This specific case is captured by PingCastle but only when the msds-MachineAccountQuota is not set to 0, which makes it even easier to exploit. I think Domain Computers on its own is a valid finding too so I have added this to the backlog for us to implement.
PingCastle does not report when computers are allowed to enroll for vulnerable certificate templates, so a direct critical path to DA remains undetected. e.g.:
1) Flag: EnrolleSuppliesSubject 2) EKU: Client / Server Authentication 3) Enrolement Rights: Domain Computers 4) PWN