Mastering AD CS Privilege Escalation: From Template Attacks to Shadow Credentials
Overview
Active Directory Certificate Services (AD CS) is often deployed to manage public key infrastructure (PKI) in enterprise environments. Despite its utility, misconfigured certificate templates and the abuse of shadow credentials provide attackers with stealthy pathways to escalate privileges. This guide dissects two core techniques—template misconfiguration exploitation and shadow credential misuse—as analyzed by Unit 42 researchers. You will learn how these attacks work, how to reproduce them in a lab, and how defenders can detect them using behavioral baselines. Whether you’re a penetration tester or a security engineer, this tutorial delivers actionable insights.
Prerequisites
- Lab Environment: A Windows domain with AD CS installed (Windows Server 2016+ recommended). Use a domain-joined client (Windows 10/11) for testing.
- Tools: Certipy (Python), Rubeus (C#), PowerShell 5.1+, BloodHound (for reconnaissance), and SharpKatz (optional).
- User Accounts: One low-privilege domain user (e.g.,
user1) and one domain admin account for validation. - Knowledge: Basic understanding of Active Directory, PKI, Kerberos, and Windows authentication.
Step-by-Step Instructions
Step 1: Enumerate Certificate Templates with Low Privileges
Begin by discovering misconfigured templates accessible to your low-privilege account. Use Certipy to query the certification authority (CA) for templates that allow enrollment with minimal permissions.
certipy find -u user1@corp.local -p 'Password123!' -dc-ip 192.168.1.10Look for templates where Enrollment Rights include Domain Users or Authenticated Users and where the issued certificate can be used for client authentication (EKU: Client Authentication). Pay special attention to templates that grant extended key usage (EKU) like “Smart Card Logon” or “Subordinate Certification Authority.” A classic example is the CertificateRequestAgent template, which when misconfigured allows delegation of enrollment to any user.
Step 2: Exploit a Vulnerable Template to Escalate Privileges
Suppose you find a template named VulnTemplate where the Issuance Requirements are set to “CA certificate manager approval” and the Enrollment Agent role is assigned to Domain Users. This combination lets a low-privilege user request a certificate on behalf of a higher-privileged account (e.g., Administrator).
- Request a certificate as the victim user using Certipy with the
-on-behalf-offlag:
certipy req -u user1@corp.local -p 'Password123!' -ca CORP-CA -target 'Administrator@corp.local' -template VulnTemplate -on-behalf-of2. Export the .pfx file and use it to authenticate via Kerberos:
certipy auth -pfx administrator.pfx -dc-ip 192.168.1.10If successful, you’ll obtain a Kerberos ticket for the domain admin. This attack works because the CA trusts the enrollment agent to submit requests for any subject—without verifying the subject’s consent.
Step 3: Abuse Shadow Credentials via Key Trust
Shadow credentials leverage the Key Trust model in AD CS, where a certificate can be used as a credential for Kerberos authentication. Attackers add a certificate to a target machine’s msDS-KeyCredentialLink attribute, effectively creating a new credential that can be used to request a TGT.
First, enumerate machines where low-privilege users can modify the attribute—often computers with weak ACLs (e.g., S-1-1-0 allowing “Write”). Use BloodHound or the ShadowCred tool:
bloodhound-python -d corp.local -u user1 -p 'Password123!' -gc corp-dc.corp.local -c AllIdentify a target computer (e.g., FILE01) with weak ACLs.
Next, add a shadow credential:
certipy shadow add -u user1@corp.local -p 'Password123!' -target FILE01$ -ca CORP-CAThis command generates a new certificate, binds it to the computer account, and outputs a .pfx file. Use that certificate to request a TGT for the computer account, then dump its local administrator hash via DCSync:
certipy auth -pfx file01.pfx -dc-ip 192.168.1.10Step 4: Detection Methods for Defenders
Unit 42’s analysis emphasizes behavioral detection over static signatures. Watch for these indicators:
- Unusual Certificate Requests: A user requesting a certificate where the subject differs from the requester (cross-user enrollment). Enable auditing on the CA:
auditpol /set /subcategory:"Certification Services" /success:enable. Monitor Event ID 4886 (CA issued certificate) and 4887 (request approved). - Shadow Credential Addition: Monitor for modifications to
msDS-KeyCredentialLinkon high-value accounts. Use Windows Event ID 4670 (ACL change) or PowerShell logging to detectSet-ADAccountControloperations. - Abnormal Kerberos TGT Requests: A computer account suddenly requesting a TGT with a certificate not originally provisioned—investigate Event ID 4768 with specific certificate hash.
Deploy a custom detection rule in your SIEM (e.g., Splunk or Azure Sentinel) that correlates certificate issuance events with user logon anomalies.
Common Mistakes
- Overlooking Template Permissions: Many attackers focus only on EKU, forgetting that the
Enrollment Rightsmust be present. Always verify thenTSecurityDescriptor. - Forgetting to Clean Up Shadow Credentials: Leftover
msDS-KeyCredentialLinkentries can persist and cause detection failures. Always delete them after testing:certipy shadow delete -u user1 -p 'Password123!' -target FILE01$. - Assuming Domain Admin Is Required: Many misconfigurations allow a simple
Domain Userto enumerate and exploit—don’t start with a privileged account. - Ignoring CA Server Access Controls: If the CA server’s web enrollment interface is exposed, additional attack vectors like
ESC8(NTLM relay) become possible. Lock down the CA web services.
Summary
AD CS escalation remains a potent vector for lateral movement and privilege escalation. By abusing misconfigured certificate templates—especially those allowing enrollment agent impersonation—attackers can forge certificates for any principal. Shadow credentials offer an elegant alternative, turning any writable machine object into a credential store. Defenders must shift from signature‑based detection to behavioral baselines, auditing certificate issuance and attribute modifications. This guide provides the fundamental techniques and defense strategies to keep one step ahead.