Active Directory Certificate Services (AD CS) is a critical component in many enterprise environments, but misconfigurations can lead to severe security risks. In this Q&A, we explore advanced misuse techniques such as template misconfigurations and shadow credential attacks, as well as behavioral detection methods for defenders. Learn how attackers escalate privileges and how to protect your infrastructure.
- What is AD CS Escalation?
- How Do Attackers Exploit Certificate Template Misconfigurations?
- What Are Shadow Credentials and How Are They Abused?
- How Can Defenders Detect AD CS Misuse Behaviorally?
- Which Tools Are Commonly Used in AD CS Escalation?
- What Are Best Practices to Prevent AD CS Exploitation?
What is AD CS Escalation?
AD CS escalation refers to privilege elevation attacks that exploit weaknesses in Active Directory Certificate Services. Attackers leverage misconfigured certificate templates, overly permissive enrollment rights, or the abuse of shadow credentials to obtain certificates that authenticate as high-privilege users—such as domain admins. These techniques allow an adversary to bypass traditional security controls and gain persistent, stealthy access. The core issue often lies in default configurations that allow client authentication or the specification of arbitrary subject alternative names (SAN). Once attackers request a certificate for a privileged account, they can use it to authenticate without ever needing the target's password. Understanding these escalation paths is crucial for defenders who rely on AD CS in their environments.
How Do Attackers Exploit Certificate Template Misconfigurations?
Attackers commonly abuse certificate templates that are misconfigured with dangerous permissions. Key flaws include templates that allow any domain user to enroll while also permitting the requester to specify a subject alternative name (SAN). This combination—sometimes called ESC1—lets an attacker request a certificate for a privileged account (e.g., domain admin) simply by listing that account as the SAN. Other variants include templates that have overly broad enrollment rights (ESC2), or ones that enable Client Authentication without proper constraints (ESC3). These misconfigurations turn a legitimate service into an escalation vector. Defenders must audit template permissions, enrollment rights, and issuance requirements to close these gaps. Automated tools like Certify and PKINITtools are often used by attackers to quickly identify and exploit such templates.
What Are Shadow Credentials and How Are They Abused?
Shadow credentials involve an attacker adding a rogue certificate to a target object’s msDS-KeyCredentialLink attribute. By doing so, they create a credential that allows authentication as that user or computer without needing its password. This technique exploits the fact that AD CS can be used to issue certificates that bind to a specific principal via public key cryptography. The attacker first obtains a certificate for their own machine, then modifies the target attribute to include a new key. Once the shadow credential is set, they can use tools like Whisker or PKINITtools to request a Kerberos TGT as the target principal. This attack is powerful because it provides persistent, passwordless access and can be carried out with only standard enrollment privileges. Behavioral detection focuses on unusual modifications to KeyCredentialLink or abnormal certificate enrollment patterns.
How Can Defenders Detect AD CS Misuse Behaviorally?
Behavioral detection monitors unusual certificate enrollment patterns and modifications to sensitive AD attributes. For example, a sudden spike in certificate requests from a low‑privileged account, or requests that specify a high‑value user as the subject alternative name, can indicate template abuse. Additionally, changes to msDS-KeyCredentialLink on privileged accounts are a strong signal of shadow credential attacks. Defenders can use tools like Windows Event Logs (Event IDs 4768, 4769, 4886, 4887) and advanced SIEM rules to flag these anomalies. Unit 42’s analysis emphasizes correlating enrollment events with authentication activity: if a certificate is enrolled for a domain admin and then used to authenticate from a non‑domain machine, that’s a red flag. By focusing on behavior rather than static signatures, organizations can catch attacks that bypass traditional antivirus or firewall rules.
Which Tools Are Commonly Used in AD CS Escalation?
Attackers rely on several specialized tools to discover and exploit AD CS weaknesses. Certify (part of the GhostPack suite) enumerates certificate templates, identifies misconfigurations, and automates certificate requests. PKINITtools help attackers request TGTs using the obtained certificates. For shadow credentials, tools like Whisker and pyWhisker allow adding rogue keys to target objects. Additionally, Rubeus can be used to abuse certificates for Kerberos authentication. These tools are often integrated into frameworks such as BloodHound and CrackMapExec for post‑exploitation. Defenders should understand these tools’ behavior to create detection rules—for instance, monitoring for the execution of Certify.exe via EDR alerts, or flagging scripts that modify KeyCredentialLink. Knowing the tooling helps anticipate attack patterns and prioritize defensive controls.
What Are Best Practices to Prevent AD CS Exploitation?
Prevention starts with a thorough audit of certificate template configurations. Disable the “Supply Subject Name” option on templates meant for client authentication, and enforce strong issuance policies (e.g., requiring manager approval). Limit enrollment rights to only those users or groups that genuinely need them. Additionally, enable Key Based Renewal and monitor attribute changes to msDS-KeyCredentialLink. Apply the principle of least privilege: separate certificate enrollment roles from administrative roles. Use Windows Defender for Identity or similar tools to watch for abnormal Kerberos requests. Regularly run tools like PSCertificateEnrollment or the AD CS Audit scripts from the Microsoft Security community to identify vulnerabilities. Finally, keep systems patched, as Microsoft has released updates addressing several escalation techniques (e.g., CVE-2022-26931). A layered defense combining configuration hardening, behavioral monitoring, and incident response readiness significantly reduces the risk of AD CS escalation.