AD CS Escalation and Misuse: Key Questions on Techniques, Tools, and Detection

Active Directory Certificate Services (AD CS) is a critical component for issuing and managing certificates in Windows domains. However, misconfigurations in certificate templates and the abuse of shadow credentials have become prime vectors for privilege escalation by attackers. Unit 42's research highlights how these advanced techniques are exploited and provides behavioral detection strategies for defenders. This Q&A covers the core concepts, common attack paths, tools involved, and practical defensive measures.

1. What is AD CS and why is it a target for escalation?

AD CS (Active Directory Certificate Services) is Microsoft's public key infrastructure (PKI) implementation that issues, manages, and revokes digital certificates. In many organizations, AD CS is used for smart card authentication, TLS certificates, and more. Attackers target AD CS because it often runs with high-privilege service accounts and can be exploited through template misconfigurations or shadow credentials. For example, if a certificate template allows requesters to specify arbitrary subject names (as in the well-known ESC1 vulnerability), an attacker can request a certificate that impersonates a domain admin. Since certificates are trusted for authentication, this grants the attacker elevated access without needing passwords. The potential for lateral movement and domain-wide compromise makes AD CS a high-value target.

AD CS Escalation and Misuse: Key Questions on Techniques, Tools, and Detection — Source: unit42.paloaltonetworks.com

2. How do certificate template misconfigurations enable privilege escalation?

Certificate templates define what certificates can be requested and by whom. Misconfigurations that bypass critical security checks create escalation paths. Common examples include ESC1 (requester can specify the subject alt name, allowing impersonation) and ESC3 (configuration enables enrollment agent delegation, enabling an attacker to request certificates for any user). Other variants like ESC8 exploit network authentication via CA Web Enrollment. Attackers abuse these by using tools such as Certipy to enumerate vulnerable templates, request certificates with privileged identities, and then perform Kerberos authentication using those certificates. The result is that a low-privileged user can gain domain admin rights. Defenders must regularly audit template permissions, ensure the 'Manager Certificate' enrollment rights are restricted, and disable vulnerable usage flags.

3. What are shadow credentials and how are they abused in AD CS?

Shadow credentials refer to a technique where an attacker adds a malicious certificate to an existing user or computer's msDS-KeyCredentialLink attribute. This attribute is designed for PKINIT (public key cryptography for Kerberos) support. By adding their own certificate, the attacker can then request Kerberos tickets as that account without needing the original password. The attack often starts with control of a computer object or an account that has write permission to the attribute. Once the shadow credential is in place, the attacker uses tools like Impacket or Certipy to authenticate via PKINIT and obtain a TGT for the target. This effectively bypasses password changes and MFA, making it a stealthy persistence mechanism. Defenders can monitor for modifications to the msDS-KeyCredentialLink attribute through advanced auditing and SIEM alerts.

4. Which tools are commonly used for AD CS exploitation?

The most prominent tool is Certipy, a Python script that automates enumeration and exploitation of AD CS misconfigurations, including ESC1, ESC3, and shadow credential attacks. Another widely used tool is PsPKI, part of PowerSploit, which provides PowerShell modules for abusing PKI infrastructure. Additionally, attackers often rely on Impacket's PKINIT functionality for Kerberos ticket requests and Mimikatz for manipulating certificates and keys in memory. For shadow credentials, the pyWhiskers script (from BloodHound community) can add fake certificates to the KeyCredentialLink attribute. These tools are effective because they automate the complex steps of template analysis, certificate request, and ticket retrieval. Defenders need to be aware of their signatures and behavior patterns to detect misuse.

5. How can defenders detect AD CS misuse through behavioral analysis?

Behavioral detection focuses on anomalous actions rather than static signatures. For AD CS, defenders should monitor Windows Event IDs 4886 and 4887 (certificate services events) for unusual certificate requests, especially those from low-privileged users requesting templates that allow impersonation. Additionally, Event ID 4624 (logon type 11 – cached interactive) can indicate use of a certificate to authenticate. For shadow credentials, monitor Event ID 5136 (LDAP write) for modifications to the msDS-KeyCredentialLink attribute. Unit 42 emphasizes that behavioral detection correlates these events with other activity, such as unknown tools (e.g., Certipy binaries) being executed or unusual network connections to CA endpoints. By creating baselines and alerting on deviations, SOC teams can catch attacks early.

6. What are best practices to harden AD CS against these attacks?

Securing AD CS requires multiple layers. First, review and harden certificate templates: disable templates that allow subject alt name specification (set to "Not permitted") and restrict enrollment rights to authorized users. Second, apply the principle of least privilege to the CA service account—never run it as a domain admin. Third, disable weak cryptographic algorithms like SHA-1 and enforce key length minimums. Fourth, enable auditing for certificate operations and LDAP attribute changes. Fifth, use CA certificate revocation and OCSP to revoke compromised certificates quickly. Finally, regularly test configurations using tools like Certipy in a lab environment to identify vulnerabilities before attackers do. These steps significantly reduce the attack surface for template and shadow credential abuse.

7. Why is behavioral detection specifically recommended for AD CS threats?

Behavioral detection is effective for AD CS because attackers often use legitimate tools and processes (e.g., certutil.exe, PowerShell) to request certificates, making signature-based detection unreliable. By focusing on what happens (e.g., a user without prior certificate enrollment history suddenly requesting a sensitive template) rather than which program is used, defenders can catch novel attacks. Moreover, since many escalation techniques (like shadow credentials) leave unique behavioral footprints—such as repeated LDAP writes to the same attribute or unusual Kerberos TGT requests with PKINIT—behavioral models can flag these anomalies. Unit 42's approach combines historical analysis with real-time correlation, enabling detection of both known and zero-day techniques. This proactive stance is critical in modern environments where AD CS is a common target for advanced persistent threats.

Tags: