Source: Unit 42
Author: Stav Setty, Tom Fakterman and Shachar Roitman
URL: https://origin-unit42.paloaltonetworks.com/active-directory-certificate-services-exploitation/
ONE SENTENCE SUMMARY:
AD CS misconfigurations enable stealthy certificate-based privilege escalation and persistence, detectable through correlated telemetry, behavioral analytics, and targeted Windows event monitoring.
MAIN POINTS:
- AD CS underpins PKI authentication and encryption but often ships with insecure defaults.
- Misconfigured certificate templates can grant unintended, long-lived privileged authentication capabilities.
- Adversaries exploit native issuance workflows rather than zero-days or malware.
- Under-monitoring and configuration complexity create persistent blind spots for defenders.
- Attack lifecycle spans initial access, discovery, exploitation, escalation, lateral movement, and persistence.
- ESC1 abuses templates allowing low-privileged enrollment with SAN control and auth EKUs.
- Shadow credentials persist by adding attacker keys to msDS-KeyCredentialLink for passwordless access.
- PKINIT enables Kerberos ticket requests using certificates, facilitating impersonation and lateral movement.
- Tools like Certify, Certipy, Whisker, and PKINITtools industrialize AD CS exploitation.
- Detection requires correlating certificate events, LDAP reconnaissance, directory changes, and Kerberos activity.
TAKEAWAYS:
- Harden templates by removing broad enrollment rights and disabling ENROLLEE_SUPPLIES_SUBJECT where unnecessary.
- Investigate mismatches between requester identity and issued certificate subject as strong abuse indicators.
- Monitor Event IDs 4886/4887/4898/5136/4768/4769 plus LDAP client/server query logs.
- Treat unusual LDAP enumeration of pKICertificateTemplate and msDS-KeyCredentialLink as early warning.
- Combine posture management with behavior-based detection to catch stealthy, certificate-driven persistence.