Advanced Active Directory Certificate Services: Exploitation Tactics and Defender's Guide

Overview

Active Directory Certificate Services (AD CS) is a critical component in many enterprise environments, enabling public key infrastructure (PKI) for authentication, encryption, and digital signatures. However, misconfigurations in certificate templates and the misuse of shadow credentials can open the door to privilege escalation and persistent access for attackers. This tutorial dives deep into two advanced AD CS exploitation techniques: template misconfiguration abuse and shadow credential misuse. We will also cover how defenders can detect these attacks through behavioral monitoring. By the end, you'll understand how to both execute these techniques responsibly and fortify your environment against them.

Prerequisites

Before attempting the techniques described, ensure you have the following:

• Active Directory environment with AD CS role installed (preferably a lab setup)
• Low-privileged domain credentials (e.g., a standard user account)
• Tools: Certify (or Certipy), Mimikatz, Rubeus, SharpDPAPI, and a C2 framework like Cobalt Strike (optional)
• Knowledge: Understanding of PKI, certificate templates, certificate enrollment, and Kerberos authentication
• Permissions: Ensure you have authorization to test on the target environment

Step-by-Step Instructions

1. Exploiting Certificate Template Misconfigurations

Certificate templates define policies for issuing certificates. Misconfigurations such as allowing low-privileged users to enroll for certificates with elevated attributes (e.g., Client Authentication with Subject Alternative Name (SAN) access) can allow an attacker to impersonate a privileged user.

1.1 Identify Vulnerable Templates

Use Certify to enumerate all certificate templates and find those with dangerous misconfigurations. Run from a low-privileged context:

Certify find /vulnerable

Look for templates that allow low-privileged users to enroll and have Client Authentication EKU with Enrollment Agent rights or SAN specification enabled.

1.2 Request a Privileged Certificate

If a vulnerable template is found (e.g., User template with SAN edit rights), request a certificate impersonating a domain admin:

Certify request /ca:CA-SERVER\CA-NAME /template:VULNERABLE-TEMPLATE /altname:DOMAIN\Administrator

The certificate will be issued to the domain admin, and you can export the private key (especially if marked as exportable).

1.3 Use the Certificate for Authentication

Convert the certificate to a usable format (e.g., PFX) and authenticate via Kerberos PKINIT using Rubeus:

Rubeus asktgt /user:Administrator /certificate:admin.pfx /password:password /domain:domain.local

You will receive a Kerberos TGT for the domain admin, granting elevated access.

2. Shadow Credential Abuse

Shadow credentials exploit the Key Distribution Center (KDC) to obtain a user's NTLM hash by manipulating the msDS-KeyCredentialLink attribute. This technique works if the target user or computer has a certificate template allowing enrollment without proper approval.

2.1 Enumerate Targets with Shadow Credentials

Use SharpDPAPI or Certipy to find users/computers that have the msDS-KeyCredentialLink attribute present and writable:

Certipy shadow auto -u user@domain.local -p password -dc-ip DC_IP

2.2 Trigger the Shadow Credential Attack

If you have GenericWrite or GenericAll permissions on a target machine account (e.g., a domain controller), you can add yourself as a key credential owner:

Certipy shadow auto -u user@domain.local -p password -target COMPUTER$ -dc-ip DC_IP -action add

This will generate a new certificate for the target machine, and the private key is stored locally. Then retrieve the NTLM hash:

Certipy shadow auto -u user@domain.local -p password -target COMPUTER$ -dc-ip DC_IP -action get

You receive the NTLM hash of the machine account, which can be used for pass-the-hash attacks.

3. Behavioral Detection for Defenders

To detect these attacks, monitor the following behaviors:

• Unusual certificate enrollment requests: Look for requests to templates with mismatched user attributes (e.g., low-priv user requesting admin cert).
• Modifications to msDS-KeyCredentialLink: Any change to this attribute by a non-admin user is suspicious.
• Kerberos PKINIT usage: Rarely used in normal operations; its appearance may indicate certificate-based impersonation.
• Event IDs: 4887 (Certificate Services approved a certificate request) and 5136 (Directory Service object modification) can be correlated.

Deploy monitoring tools like Azure AD Sentinel or Splunk with custom alerts for these patterns.

Common Mistakes

• Not cleaning up artifacts: After exploitation, certificate files and registry changes can leave traces. Always delete generated PFX files and remove added key credentials.
• Overlooking template permissions: Ensure you check both enrollment rights and the “Enrollment Agent” attribute, as these can chain misconfigurations.
• Assuming all versions are vulnerable: Patched AD CS installations have mitigations (e.g., msDS-KeyCredentialLink no longer writable by default). Always test in a lab first.
• Failing to monitor for detection: Attackers often skip enabling auditing. Defenders should enable Advanced Audit Policy for Certificate Services and Directory Service changes.

Summary

This tutorial covered two advanced AD CS exploitation vectors—template misconfiguration abuse and shadow credential attacks—along with practical steps using Certify, Rubeus, and Certipy. We also provided behavioral detection strategies for defenders to identify these threats. By understanding both the offensive and defensive perspectives, you can strengthen your PKI environment against sophisticated attacks. Remember: always obtain proper authorization before testing, and use these techniques to improve overall security posture.