An Introduction to Active Directory Certificate Services (AD CS)
I am still pretty new to consulting and penetration testing full-time. I came into consulting with knowing the basics from years previous. Whether it was working my way through various assignments in graduate school, listening to podcasts, running numerous labs, or just researching the theory behind certain attack paths or types of exploits. I often take the time to read about the goings on within the field of offensive security and penetration testing.
However, much of the knowledge I'm gaining now is by working with experienced teammates to carry out real attack paths in actual environments. Much different than learning theory from labs, podcasts, or blog posts. One particular attack path is the exploitation of misconfigurations in Active Directory Certificate Services (AD CS), and these types of attack paths specifically is what this post, and the series of follow-up posts will intend to detail.
Since joining Secure Ideas, I have experienced first-hand how easy it can be to exploit AD CS misconfigurations, going from a regular domain user to Domain Admin in no time. This was not something I expected to run into so quickly. I was only on my second assessment with the team of Senior Consultants I had been shadowing, when I witnessed my first AD CS exploit. I was amazed at how easily we were able to get from a standard level user to complete control of the domain within what seemed to be a matter of minutes. Since then, I have been captivated by learning more about AD CS misconfigurations and how to exploit them.
Background: The Certified Pre-Owned Research
Before diving too deep into the weeds on what AD CS is and how we can exploit any misconfigurations, I want to provide some insight into how we came to know about the various types of escalation paths. Back in June of 2021, Will Schroeder and Lee Christensen over at SpecterOps published a whitepaper titled Certified Pre-Owned. This whitepaper laid out how misconfigurations in Active Directory Certificate Services can be abused for privilege escalation and full domain compromise. This research is one of the first places that these attack paths were clearly documented and structured. This helped put real names and explanations behind what would later be referred to as the ESC* abuses. This whitepaper helped make the connection between theory and practice. This was further reinforced when I began seeing the same types of AD CS misconfigurations during real life engagements.
What Exactly Is AD CS?
Active Directory Certificate Services (AD CS) is Microsoft’s Public Key Infrastructure (PKI) for Windows environments. It’s a Windows Server role that allows organizations to issue and manage digital certificates that are trusted across the domain.
More often in enterprise environments, ADCS exists to support everyday enterprise security needs like authentication and encryption across the environment. It’s commonly used for smart card logon, Wi-Fi and 802.1X authentication, VPN access, and TLS certificates for internal web applications. However, AD CS also plays a role in encrypted email, code signing for internal applications, and broader network security functions such as IPsec and other secure communications.
Why AD CS Becomes a Problem
What makes AD CS especially interesting from an attacker's point of view is how tightly it’s integrated with Active Directory authentication. AD supports Kerberos Public Key Cryptography for Initial Authentication (PKINIT), which means certificates can be used instead of passwords to request Kerberos tickets. Certificate templates control who can request certificates, what identity those certificates represent, and how they map to Active Directory accounts.
When those templates are misconfigured, it can allow attackers to authenticate as other users, escalate privileges, and in some cases fully compromise the domain, often without needing to crack or steal a password. A lot of the time, these issues go unnoticed because AD CS is treated as background infrastructure rather than something that needs ongoing attention.
The Plan for This Series?
AD CS has turned out to be one of the most consistently abusable parts of Active Directory I’ve encountered thus far. For system admins, it’s easy to overlook, and when it’s misconfigured, the impact can be much larger than most would expect. Over the next few posts, I’m going to be utilizing the Game of Active Directory (GOAD) lab setup that the folks at Orange CyberDefense have graciously created to practice a multitude of Active Directory exploits and attack paths.
This series of blog posts will walk through how AD CS gets abused using many of the possible ESC* paths that GOAD allows for within the lab environment, specifically:
- ESC1
- ESC2
- ESC3
- ESC6
- ESC8
- ESC9
- ESC11
- ESC15
You may notice that some of the ESC* paths are missing from that list. GOAD leaves out ESC4, ESC5, ESC7, ESC10, ESC12, ESC13, and ESC14 because they typically require admin access, CA or template reconfiguration, timing-dependent conditions, or complex PKI setups. Instead, GOAD focuses on the AD CS abuses you can actually leverage from a low-privileged user account. This is way closer to how these attack paths show up during real engagements. Each post will focus on one misconfiguration, how to identify and enumerate it, and the tools typically used to exploit it in real environments.
In the next post of this series, we’ll dig into ESC1 by walking through how to identify and enumerate the misconfiguration, the tools used to exploit it, and why it’s so often overlooked despite being one of the easiest paths to abuse.
