docs: add note in ESC6 abuse info

SpecterOps · Jan 26, 2024 · 0a20545 · 0a20545
1 parent 7dea7cd
commit 0a20545
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 0 deletions.
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/LinuxAbuse.tsx
@@ -30,6 +30,15 @@ const LinuxAbuse: FC = () => {
                     'certipy req -u john@corp.local -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC6 -upn administrator@corp.local'
                 }
             </Typography>
+            <Typography variant='body2'>
+                If the enrollment fails with an error message stating that the Email or DNS name is unavailable and
+                cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does
+                not have their 'mail' or 'dNSHostName' attribute set, which is required by the certificate template. The
+                'mail' attribute can be set on both user and computer objects but the 'dNSHostName' attribute can only
+                be set on computer objects. Computers have validated write permission to their own 'dNSHostName'
+                attribute by default, but neither users nor computers can write to their own 'mail' attribute by
+                default.
+            </Typography>
             <Typography variant='body2'>
                 <b>Step 2</b>: Request a ticket granting ticket (TGT) from the domain, specifying the certificate
                 created in Step 1 and the IP of a domain controller:

diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx
@@ -30,6 +30,15 @@ const WindowsAbuse: FC = () => {
                     '.\\Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:ESC6 /altname:forestroot\\ForestRootDA'
                 }
             </Typography>
+            <Typography variant='body2'>
+                If the enrollment fails with an error message stating that the Email or DNS name is unavailable and
+                cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does
+                not have their 'mail' or 'dNSHostName' attribute set, which is required by the certificate template. The
+                'mail' attribute can be set on both user and computer objects but the 'dNSHostName' attribute can only
+                be set on computer objects. Computers have validated write permission to their own 'dNSHostName'
+                attribute by default, but neither users nor computers can write to their own 'mail' attribute by
+                default.
+            </Typography>
             <Typography variant='body2'>
                 <b>Step 2</b>: Convert the emitted certificate to PFX format:
             </Typography>

diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/LinuxAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/LinuxAbuse.tsx
@@ -33,6 +33,15 @@ const LinuxAbuse: FC = () => {
                     'certipy req -u john@corp.local -p Passw0rd -ca corp-DC-CA -target ca.corp.local -template ESC6 -upn administrator@corp.local'
                 }
             </Typography>
+            <Typography variant='body2'>
+                If the enrollment fails with an error message stating that the Email or DNS name is unavailable and
+                cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does
+                not have their 'mail' or 'dNSHostName' attribute set, which is required by the certificate template. The
+                'mail' attribute can be set on both user and computer objects but the 'dNSHostName' attribute can only
+                be set on computer objects. Computers have validated write permission to their own 'dNSHostName'
+                attribute by default, but neither users nor computers can write to their own 'mail' attribute by
+                default.
+            </Typography>
             <Typography variant='body2'>
                 <Box component='span' sx={{ fontWeight: 'bold' }}>
                     Step 2:

diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx
@@ -33,6 +33,15 @@ const WindowsAbuse: FC = () => {
                     '.\\Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:ESC6 /altname:forestroot\\ForestRootDA'
                 }
             </Typography>
+            <Typography variant='body2'>
+                If the enrollment fails with an error message stating that the Email or DNS name is unavailable and
+                cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does
+                not have their 'mail' or 'dNSHostName' attribute set, which is required by the certificate template. The
+                'mail' attribute can be set on both user and computer objects but the 'dNSHostName' attribute can only
+                be set on computer objects. Computers have validated write permission to their own 'dNSHostName'
+                attribute by default, but neither users nor computers can write to their own 'mail' attribute by
+                default.
+            </Typography>
             <Typography variant='body2'>
                 <Box component='span' sx={{ fontWeight: 'bold' }}>
                     Step 2: