Overview of AD CS Escalation
Active Directory Certificate Services (AD CS) is a critical component in many enterprise environments, providing the infrastructure for managing digital certificates. However, its complexity and the trust placed in certificates make it a prime target for attackers. Unit 42 researchers have analyzed common exploitation paths, focusing on two key areas: certificate template misconfigurations and shadow credential misuse. Understanding these techniques is essential for defenders to implement effective behavioral detection.
Certificate Template Abuses
Certificate templates define policies for certificate issuance, including enrollment rights, key usage, and authorization requirements. Misconfigurations in these templates can allow low-privileged users to obtain certificates with elevated permissions. Common flaws include:
- Enrollment rights too permissive: Templates that allow any authenticated user to enroll, even for high-value certificate types.
- Weak issuance requirements: Lack of manager approval or insufficient proof of identity.
- Incorrect key usage: Templates permitting client authentication or smartcard logon when not needed, enabling lateral movement.
Attackers use tools like Certipy or PKINITtools to enumerate templates, identify vulnerable configurations, and request certificates that grant domain admin-like privileges. Once obtained, these certificates can be used for Kerberos authentication (PKINIT) or NT hash retrieval via DPAPI.
Shadow Credential Misuse
Shadow credentials refer to the practice of creating or stealing certificate-based credentials outside the standard certificate lifecycle. Attackers exploit weak ACLs on AD objects to modify certificate attributes or import rogue certificates. Techniques include:
- Forging certificates: Using stolen CA private keys or misconfigured subordinate CAs to create valid certificates for any user.
- Abusing the
msPKI-Certificate-Name-Flag: Manipulating user objects to associate unauthorized certificates, effectively creating a shadow identity. - Golden Certificate attacks: Compromising the CA’s private key to forge certificates with arbitrary identities and permissions.
These methods bypass traditional password-based security, making detection challenging. The Shadow Credentials attack, often executed via Whisker or Rubeus, adds a certificate to a target user account, allowing Kerberos authentication as that user without needing their password.
Behavioral Detection for Defenders
Defenders can identify AD CS misuse by monitoring anomalous certificate activity. Key behavioral indicators include:
- Unusual certificate requests: A low-privileged user requesting a certificate with elevated templates or high-value EKU (e.g.,
Client Authentication). - Abnormal PKINIT logins: Certificate-based Kerberos authentication from unexpected sources or at unusual times.
- Modifications to certificate attributes: Changes to
userCertificateormsPKI-Certificate-Name-Flagon sensitive user or computer objects. - CA database anomalies: Multiple certificate requests from the same user for different subjects or rapid issuance patterns.
Security Information and Event Management (SIEM) solutions can ingest event IDs such as 4886 (certificate services issued a certificate) and 4768 (Kerberos TGT request) to create alerts. Unit 42 recommends tuning detection rules based on baseline behavior and using machine learning to spot rare enrollment events.
Mitigation Strategies
To reduce the risk of AD CS escalation, organizations should implement the following measures:
- Harden certificate templates: Restrict enrollment rights, require manager approval for sensitive templates, and limit key usage to necessary purposes.
- Monitor CA infrastructure: Use privileged access workstations (PAWs) to manage CAs and enforce strict logging.
- Audit ACLs: Regularly review permissions on AD objects and certificate templates to ensure least privilege.
- Deploy behavioral detection: As described above, with a focus on certificate lifecycle anomalies.
By understanding the tactics outlined in Unit 42's analysis, security teams can proactively defend against these advanced AD CS exploitation techniques.