Understanding Active Directory Certificate Services Compromise Vectors
Active Directory Certificate Services (AD CS) is Microsoft’s Public Key Infrastructure (PKI) framework, managing encryption, code signing, and authentication through certificate authorities (CAs). The AD CS CA issues certificates based on templates configured for various user and computer authentication purposes. Vulnerabilities in these certificate templates can be exploited to escalate privileges and move laterally within an Active Directory environment.
A notable weakness, known as the ESC1 vulnerability, allows any user to request a certificate on behalf of any other user in the domain, including privileged accounts. This certificate can then be used to authenticate as that user, inheriting their privileges. This exploitation can be performed using native Windows tools, making detection more difficult. Importantly, these certificates remain valid even after the user resets their password, only becoming invalid upon expiration or revocation.
Identifying ESC1 Vulnerable Certificate Templates
An ESC1 vulnerable certificate template exhibits the following configuration:
- Enrolment rights permit user objects to request the certificate.
- Extended Key Usage (EKU) includes user authentication capabilities.
- Subject Alternative Name (SAN) can be supplied by the requester.
- Certificate Manager approval is not required for certificate issuance.
Other vulnerabilities exist, labeled ESC2 through ESC13, with variations that similarly allow privilege escalation and lateral movement. Further reading is available via SpecterOps, Mandiant, and Microsoft Defender for Identity research.
Mitigation Strategies for AD CS Compromise
To reduce the risk of AD CS compromise, identifying vulnerable configurations is crucial. Tools like Certificate Manager (certmgr.msc
), Certutil, PSPKIAudit, and Certify can audit templates and configurations to detect vulnerabilities, including ESC1-ESC8.
Key security controls include:
- Disable the “Enrollee Supplies Subject” flag to prevent users from supplying their own SANs.
- Restrict write permissions on certificate templates for standard user objects.
- Remove the
EDITF_ATTRIBUTESUBJECTALTNAME2
flag from CA configurations. - Require CA Certificate Manager approval for any certificate template that allows SAN input.
- Remove EKUs enabling user authentication from vulnerable templates.
- Limit AD CS CA server access strictly to necessary privileged users.
- Use jump servers or secure admin workstations for CA server management.
- Restrict CA servers to AD CS services only, minimizing attack surface.
- Encrypt and securely store backups with restricted access.
- Implement centralized logging and timely analysis of CA server logs to detect suspicious activity.
Complex environments might have additional risks, such as templates allowing enrollment by specific security groups or domain computers, which attackers can exploit through lateral privilege escalations.
Detecting Active Directory Certificate Services Compromise
Effective detection requires comprehensive logging and analysis from Domain Controllers and Certificate Authorities. Look for:
- Certificates issued with mismatched requester and subject names.
- Unauthorized modifications of certificate templates.
- Unexpected certificate requests or issuances tied to privilege escalation.
AD CS event auditing is disabled by default but can be enabled by:
- Activating Audit object access for Certificate Services in Group Policy under Advanced Audit Policy Configuration.
- Enabling all auditing options under the CA’s properties → Auditing tab.
Important Event IDs for Detecting AD CS Compromise
Event ID | Source | Description |
39 | Domain Controllers | No strong certificate mappings found; certificate lacks a valid Security Identifier (SID). |
40 | Domain Controllers | Certificate issued before user existed; no strong mapping found. |
41 | Domain Controllers | SID in certificate does not match user SID, indicating possible certificate misuse. |
1102 | Root and subordinate CAs | Security audit log cleared, potentially to hide malicious activity. |
4674 | Domain Controllers | Privileged operations attempted on protected certificate template objects. |
4768 | Domain Controllers | Ticket Granting Ticket (TGT) requested with certificate authentication (PreAuthType=16). |
4886 | Root and subordinate CAs | Certificate request received, possibly indicating privilege escalation attempts. |
4887 | Root and subordinate CAs | Certificate issued, showing potential successful privilege escalation. |
4899 | Root and subordinate CAs | Certificate template updated, possibly modified for malicious intent. |
4900 | Root and subordinate CAs | Security settings on certificate templates updated, potentially introducing vulnerabilities. |