AD CS Attack Pathways: Misconfigured Templates and Shadow Credentials

Introduction

Active Directory Certificate Services (AD CS) is a critical component in many Windows enterprise environments, enabling public key infrastructure (PKI) operations such as certificate issuance and authentication. However, its complexity also introduces attack surfaces that adversaries exploit for privilege escalation and lateral movement. This article examines two advanced misuse techniques: template misconfigurations and shadow credential misuse, and explores behavioral detection methods that defenders can employ to mitigate these threats.

AD CS Attack Pathways: Misconfigured Templates and Shadow Credentials — Source: unit42.paloaltonetworks.com

Template Misconfigurations

Certificate templates define the settings and permissions for certificate requests. When misconfigured—for example, by allowing low-privileged users to request certificates with enhanced key usage (EKU) like smart card logon or domain controller authentication—attackers can escalate privileges to obtain domain admin credentials. Key misconfigurations include:

Unrestricted enrollment rights: Any user can enroll in a template that grants authentication capabilities.
Weak EKU constraints: Templates allowing client authentication can be used to authenticate as any entity.
Enrollment agent restrictions bypass: Misconfigured manager approval or no issuance requirement exposes the CA.

These flaws are often identified with tools like Certipy or PKINITtools, which scan for vulnerable templates and issue malicious certificates.

Shadow Credential Misuse

Shadow credentials involve the abuse of Kerberos Key Distribution Center (KDC) interactions. An attacker with write access to a target object's msDS-KeyCredentialLink attribute can create a key credential that allows authentication as that object—effectively forging a pass-the-hash-capable credential without needing the actual password. This technique is particularly dangerous because:

It works against domain controllers, servers, or users.
It bypasses traditional password changes.
It can be performed remotely if an AD CS endpoint permits certificate-based authentication.

The attack is often executed by first compromising a service account with permissions to modify the attribute, then using tools like Whisker to implant the credential.

Tools and Attack Vectors

Both escalation methods are supported by a suite of open-source tools:

Certipy: Automates certificate template misconfiguration exploitation, including ESC1 to ESC13 attacks.
PKINITtools: Facilitates PKI-based Kerberos authentication and shadow credential manipulation.
Impacket: Contains scripts for certificate request and S4U2Self abuse.

Modern attacks combine these with behavioral detection bypasses, such as slow enumeration or legitimate API use.

Behavioral Detection for Defenders

To counter AD CS abuse, defenders must monitor for anomalous patterns:

Certificate enrollment from non-standard workstations: Alert on enrollment requests from servers or user machines that rarely enroll certificates.
Unusual msDS-KeyCredentialLink modifications: Track changes to this attribute, especially on high-value accounts.
Non-interactive logon via certificates: Detect certificates used for authentication that were issued to accounts or systems that typically do not perform certificate-based logins.

Behavioral baselines can be established using Windows Event Logs (e.g., Event IDs 4886, 4887, 4768) and SIEM correlation rules. Integration with Microsoft Defender for Identity or similar solutions further enhances detection.

Conclusion

AD CS escalation remains a potent vector for attackers due to misconfigurations and protocol abuse. By understanding template vulnerabilities and shadow credential threats, and by deploying behavioral detection, security teams can significantly reduce the risk. Continuous monitoring and timely patching of certificate templates are essential defensive measures.

Tags: