Skip to content
.ca
sign in
6 mincritical

Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools

Active Directory Certificate Services (AD CS) is increasingly targeted by threat actors to achieve privilege escalation and persistence through misconfigured certificate templates and shadow credential abuse. By leveraging tools like Certipy and Whisker, attackers can bypass traditional credential defenses, necessitating behavioral detection strategies focused on LDAP enumeration, anomalous certificate issuance, and directory modifications.

Sens:ImmediateConf:highAnalyzed:2026-05-12Google

Authors: Unit 42

ActorsFog ransomwareFighting UrsaAPT28Fancy BearForest Blizzard
Privilege EscalationESC1Shadow CredentialsAD CSCVE-2022-26923

Source:Palo Alto Networks

Detection / HunterGoogle

What Happened

Cybercriminals and state-sponsored hackers are exploiting weak default settings in Active Directory Certificate Services (AD CS), a system that acts like a digital passport office for corporate networks. Organizations using Microsoft Windows Server and Active Directory environments are at risk. Attackers can use these weak settings to create fake digital identities, giving them high-level access to the network and allowing them to bypass normal passwords to maintain hidden, long-term access. IT and security teams should immediately review their certificate settings for misconfigurations, monitor network logs for unusual certificate requests, and use behavioral security tools to catch this activity early.

Key Takeaways

  • AD CS is actively exploited for privilege escalation and persistence via misconfigured certificate templates and shadow credentials.
  • ESC1 is the most common attack path, exploiting templates that allow requesters to supply the Subject Alternative Name (SAN).
  • Shadow credentials misuse the msDS-KeyCredentialLink attribute to establish persistent, passwordless access via Key Trust.
  • Open-source tools like Certify, Certipy, Whisker, and PKINITtools have lowered the barrier to entry for these attacks.
  • Detection requires correlating LDAP queries, certificate issuance events, directory modifications, and Kerberos ticket requests.

Affected Systems

  • Active Directory Certificate Services (AD CS)
  • Windows Server
  • Active Directory

Vulnerabilities (CVEs)

  • CVE-2022-26923

Attack Chain

The attack begins with initial access via compromised low-privileged accounts. The attacker then performs discovery using LDAP queries to enumerate Certificate Authorities and vulnerable certificate templates. During exploitation, the attacker requests a certificate using a misconfigured template (e.g., ESC1) to impersonate a highly privileged user. This certificate is used via PKINIT to request Kerberos tickets, escalating privileges, and persistence is established by injecting shadow credentials into the msDS-KeyCredentialLink attribute.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Cortex XDR, Cortex XSIAM

The article provides behavioral detection logic based on specific Windows Event IDs (4886, 4887, 4898, 5136, 4768, 4769, 30, 1644) and LDAP query monitoring, which are natively supported by Cortex XDR and XSIAM.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can capture process executions of abuse tools (Certipy, Whisker), LDAP queries originating from endpoints, and the creation of PFX files. Network Visibility: Medium — LDAP queries and Kerberos PKINIT traffic can be observed on the network, but payload contents are often encrypted, requiring endpoint or identity-level logs for full context. Detection Difficulty: Moderate — Detecting AD CS abuse requires correlating multiple event types (LDAP, AD CS, Kerberos) and distinguishing malicious abuse from legitimate administrative actions and auto-enrollment processes.

Required Log Sources

  • Security Event 4886
  • Security Event 4887
  • Security Event 4898
  • Security Event 5136
  • Security Event 4768
  • Security Event 4769
  • Microsoft-Windows-LDAP-Client Event 30
  • Microsoft-Windows-ActiveDirectory_DomainService Event 1644

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Attackers are enumerating AD CS templates using LDAP queries.Event ID 1644 or 30 looking for objectClass=pKICertificateTemplate or msDS-KeyCredentialLink.DiscoveryMedium
Attackers are exploiting ESC1 by requesting certificates with custom Subject Alternative Names (SANs).Event ID 4886 and 4887 where the requester differs from the subject.Privilege EscalationLow
Attackers are establishing shadow credentials by modifying key trust attributes.Event ID 5136 showing modifications to the msDS-KeyCredentialLink attribute.PersistenceLow

Control Gaps

  • Lack of native AD CS monitoring
  • Overly permissive default certificate templates
  • Inadequate auditing of directory modifications

Key Behavioral Indicators

  • LDAP queries for msDS-KeyCredentialLink
  • Modifications to msDS-KeyCredentialLink (Event 5136)
  • Certificate requests with SAN mismatch
  • High volume of LDAP queries from non-admin accounts

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Audit and disable overly permissive certificate templates, specifically those with the ENROLLEE_SUPPLIES_SUBJECT flag enabled.
  • Enable advanced audit policies for AD CS and Directory Services (Event IDs 4886, 4887, 4898, 5136).

Infrastructure Hardening

  • Implement Tiered Administration to restrict who can manage AD CS and certificate templates.
  • Require manager approval or authorized signatures for sensitive certificate templates.
  • Monitor and restrict modifications to the msDS-KeyCredentialLink attribute.

User Protection

  • Deploy behavioral analytics (UEBA) to detect anomalous authentication patterns and PKINIT usage.
  • Restrict the execution of known AD CS abuse tools (Certipy, Whisker) via EDR or AppLocker.

Security Awareness

  • Train SOC analysts on AD CS attack paths, ESC techniques, and PKINIT Kerberos authentication anomalies.

MITRE ATT&CK Mapping

  • T1649 - Steal or Forge Authentication Certificates
  • T1556 - Modify Authentication Process
  • T1550 - Use Alternate Authentication Material
  • T1087 - Account Discovery
  • T1083 - File and Directory Discovery
  • T1078.002 - Valid Accounts: Domain Accounts
  • T1552.001 - Unsecured Credentials: Credentials In Files
  • T1070 - Indicator Removal
  • T1005 - Data from Local System
  • T1562.002 - Impair Defenses: Disable Windows Event Logging
  • T1562.001 - Impair Defenses: Disable or Modify Tools

Additional IOCs

  • Command Lines:
    • Purpose: Enumerate AD CS objects and vulnerable templates via LDAP | Tools: Certipy | Stage: Discovery | find -u REDACTED -p REDACTED -dc-ip REDACTED -scheme ldap
    • Purpose: Add shadow credentials to a target account for persistence | Tools: pyWhisker | Stage: Persistence | .\pywhisker.py -u <user> -d <domain> -t <target> --action add
  • Other:
    • ENROLLEE_SUPPLIES_SUBJECT - Certificate template flag abused in ESC1 attacks to allow requesters to specify the Subject Alternative Name (SAN).
    • CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT - Certificate template flag indicating the enrollee can supply the subject, leading to impersonation.

Related