10 Critical Insights into AD CS Escalation: From Misconfigurations to Detection

Active Directory Certificate Services (AD CS) is a cornerstone of enterprise authentication, but its misuse can lead to devastating privilege escalation. Attackers exploit template misconfigurations and shadow credential techniques to gain unauthorized access, while defenders must stay ahead with behavioral detection. This listicle unpacks the most advanced misuse techniques and tools, offering a comprehensive guide for security professionals. Whether you're auditing your environment or responding to an incident, understanding these 10 key aspects is essential for safeguarding your AD CS infrastructure.

1. The Foundation of AD CS Escalation

AD CS acts as a public key infrastructure (PKI) for issuing certificates, enabling secure communication and authentication. However, misconfigurations in certificate templates and enrollment policies create pathways for attackers to request certificates that grant elevated privileges. The core issue lies in overly permissive settings, such as allowing domain users to enroll in templates that enable authentication as any entity. Escalation typically begins with reconnaissance: attackers enumerate templates, certificate authorities (CAs), and permissions to identify weak spots. Understanding this foundational process is crucial for both exploitation and defense.

10 Critical Insights into AD CS Escalation: From Misconfigurations to Detection — Source: unit42.paloaltonetworks.com

2. Template Misconfiguration: The ESC1 Threat

ESC1 (Escalation 1) is the most well-known AD CS attack, where a certificate template permits the enrollee to supply a subject alternative name (SAN). If the template also allows client authentication, an attacker can request a certificate with an arbitrary SAN (e.g., domain admin) and use it to impersonate that user. This technique exploits the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag being set. Defenders should audit templates for this combination and restrict enrollment permissions to trusted entities. Behavioral detection can flag anomalous certificate requests with unusual SAN values.

3. ESC2: Overly Permissive EKU Extensions

ESC2 leverages certificates with extended key usage (EKU) extensions that are too broad. For example, a template with 'Any Purpose' EKU allows the certificate to be used for client authentication, server authentication, and code signing. Attackers can request such certificates and use them to impersonate any user or service. Mitigation involves reviewing EKU settings and ensuring only necessary extensions are enabled. Behavioral monitoring can detect certificates requested with abnormal EKU combinations, especially from non-admin accounts.

4. ESC3: Certificate Enrollment Agent Abuse

ESC3 exploits the Certificate Enrollment Agent (CEA) feature, which allows a user to request certificates on behalf of another entity. If misconfigured, an attacker with CEA rights can enroll for a certificate as a domain admin. This attack often requires two templates: one for the enrollment agent certificate and another for the final certificate. Defenders should limit CEA privileges, require approval workflows, and monitor for unusual enrollment agent activity. Behavioral detection can identify when a non-admin account uses CEA to request high-privilege certificates.

5. ESC4: Vulnerable Template Permissions

ESC4 occurs when an attacker modifies certificate template security settings due to excessive write permissions. They can change the template to enable ESC1-like behavior by adding the 'Enroll' permission for themselves or setting the SAN flag. This attack requires the attacker to already have some level of access (e.g., a low-privileged account with write rights). Hardening involves auditing template permissions and removing unnecessary write access. Behavioral detection can alert on changes to template properties, such as adding new enrollment rights.

6. ESC5: CA Misconfiguration and Backdoors

ESC5 targets the Certificate Authority itself, exploiting misconfigurations like weak CA certificate permissions or allowing enrollment requests from any authenticated user. Attackers can request a CA-issued certificate that grants domain admin privileges, effectively creating a backdoor. Defenders should apply the principle of least privilege to CA roles, restrict enrollment rights, and regularly validate CA configuration. Behavioral detection can flag atypical enrollment patterns, such as a single account requesting multiple certificates from different templates.

7. Shadow Credentials: A Modern Twist

Shadow credentials involve an attacker adding a certificate to a target object's msDS-KeyCredentialLink attribute, effectively creating a credential that can be used for authentication. This technique bypasses traditional password changes and can be executed if the attacker has sufficient privileges (e.g., write access to the attribute). Shadow credentials are often used in combination with Active Directory Federation Services (AD FS) to gain persistent access. Detection involves monitoring for modifications to msDS-KeyCredentialLink and using tools like Microsoft Defender for Identity to spot anomalies.

8. Behavioral Detection Strategies for Defenders

Defenders can deploy behavioral detection to identify AD CS escalation attempts in real time. Key indicators include: unexpected certificate enrollment requests from non-admin users, requests with unusual SANs (e.g., multiple distinct names), modifications to template or CA settings, and large numbers of certificates issued in a short period. Security information and event management (SIEM) systems, alongside specialized tools like Unit 42's behavioral analysis, can correlate these events. Regularly tuning detection rules based on your environment's baseline is essential to reduce false positives.

9. Tools and Resources for Auditing AD CS

Several tools simplify auditing and exploitation of AD CS. For defenders, Certify and PSPKIAudit help enumerate misconfigurations. Attackers often use Certipy or OpenSSL to craft certificates. Understanding these tools is vital for both red and blue teams. Defenders should run periodic scripts to identify templates with dangerous settings (e.g., ESC1 conditions) and review CA permissions. Public resources like the AD CS Attack Paths repository provide detection rules and hardening guides. Incorporating these tools into your security operations center (SOC) workflow enhances detection capabilities.

10. Future-Proofing Your AD CS Infrastructure

As AD CS threats evolve, proactive measures are critical. Implement certificate lifecycle management automation to enforce strict policies, regularly update templates, and revoke suspicious certificates. Consider migrating to cloud-based PKI solutions where appropriate. Training your IT staff on AD CS security best practices, including the principle of least privilege and regular auditing, reduces the attack surface. Finally, stay informed about emerging techniques by following research from organizations like Unit 42. A layered defense combining configuration hardening, behavioral detection, and continuous improvement is your best bet against AD CS escalation.

Understanding these 10 facets of AD CS escalation empowers defenders to mitigate risks and respond effectively. From template misconfigurations to shadow credentials and behavioral detection, each element plays a role in a comprehensive security strategy. By auditing your environment, deploying detection tools, and staying updated on new research, you can protect your organization from these advanced misuse techniques. The fight against AD CS escalation demands vigilance—start implementing these insights today.