Active Directory Certificate Services Escalation: A Deep Dive into Attack Vectors and Defense Strategies

By • min read

Active Directory Certificate Services (AD CS) is a critical component in many enterprise environments, but its misconfiguration can open the door to severe escalation attacks. This Q&A explores advanced misuse techniques, including template misconfigurations and shadow credential attacks, as analyzed by Unit 42. We'll cover how attackers exploit these weaknesses, the tools they use, and behavioral detection methods that defenders can implement to stay ahead.

1. What is Active Directory Certificate Services (AD CS) and why is it a prime target for attackers?

AD CS is Microsoft's implementation of Public Key Infrastructure (PKI) within Active Directory. It enables issuance and management of digital certificates used for authentication, encryption, and digital signatures. Attackers target AD CS because it often holds domain-level privileges. Misconfigurations can allow an attacker to request certificates that authenticate as any user or machine, including domain admins. This makes AD CS a high-value asset: compromising it can lead to persistent, stealthy access without needing traditional credential theft. Unit 42's research highlights how attackers exploit these trust relationships to escalate privileges laterally and vertically within a network.

2. What are template misconfigurations in AD CS and how do they enable escalation?

Certificate templates define the properties and permissions for issued certificates. Misconfigurations occur when templates allow low-privileged users to request certificates with excessive rights. For example, a template might enable Client Authentication while also granting the ability to specify a subject alternative name (SAN). This lets an attacker request a certificate for a high-value account (e.g., Domain Admin). Unit 42's analysis shows that templates with weak enrollment permissions or missing approval workflows are frequently exploited. Common misconfigurations include the ESC1 to ESC8 scenarios discovered by security researchers. These allow attackers to bypass authentication controls and impersonate any user, gaining elevated access.

3. How do shadow credential attacks work in the context of AD CS?

Shadow credentials are a technique where an attacker adds a Key Credential attribute to a user or computer object in Active Directory without the legitimate owner's knowledge. This allows the attacker to authenticate as that object using certificate-based authentication. The attack leverages the Shadow Credentials feature introduced in Windows Server 2016. By adding a rogue Key Credential, the attacker can perform a PKINIT exchange to obtain a Kerberos TGT, effectively hijacking the identity. Unit 42's research indicates this method is particularly dangerous because it requires no initial compromise of the target's password. Tools like Whisker automate the process. Defenders must monitor for unexpected additions of KeyCredential attributes.

4. What tools and frameworks do attackers commonly use for AD CS exploitation?

Several specialized tools streamline AD CS attacks. Certify (part of GhostPack) enumerates certificate templates and finds exploitable misconfigurations. Certipy (Python) automates exploitation of ESC1-ESC8 scenarios. For shadow credentials, Whisker adds rogue Key Credentials quickly. Impacket and Rubeus are used for Kerberos interaction post-exploitation. Unit 42's analysis emphasizes that these tools are often scripted and chained – an attacker may use Certify to find a vulnerable template, then Certipy to request a certificate, and finally Rubeus to authenticate. Defenders should correlate tool signatures, such as distinctive network patterns or registry modifications, to detect these chains.

5. How can defenders detect AD CS escalation attempts using behavioral methods?

Behavioral detection focuses on anomalous actions and sequences rather than static signatures. Unit 42 recommends monitoring for:

• Unusual certificate requests – especially from non-standard clients or for templates with critical extensions.
• Key Credential attribute modifications – unexpected additions to user or computer objects using Add-KeyCredentialLink.
• Abnormal Kerberos TGT requests – especially using PKINIT with certificates from unusual issuers.
• Lateral tool movement – execution of Certify, Certipy, or Whisker on multiple systems.

By baselining normal behavior, security teams can set alerts for deviations. For example, an account that never requested certificates suddenly generating multiple requests should trigger an investigation.

6. What are the best practices for securing AD CS against these advanced attacks?

To harden AD CS, follow these principles:

1. Audit and harden templates – Disable unnecessary templates, set approval requirements, avoid SAN enablement unless carefully controlled.
2. Restrict enrollment permissions – Only allow authorized users to enroll in high-privilege templates. Follow the principle of least privilege.
3. Enable CA audit logging – Capture all certificate issuance and revocation events.
4. Monitor for shadow credentials – Check regularly for unexpected Key Credential attributes on sensitive accounts.
5. Use behavioral analytics – Deploy SIEM rules to detect chained tool usage and unusual Kerberos activity.

Unit 42's findings stress that proactive ad hoc assessments and continuous monitoring are essential to prevent these escalation paths.