Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools
Unit 42 reveals how attackers exploit Active Directory Certificate Services through misconfigured templates and shadow credentials, enabling privilege escalation and persistence without zero-day vulnerabilities.
Active Directory Certificate Services (AD CS) is a foundational component of Windows enterprise infrastructure, responsible for managing public key infrastructure (PKI) and issuing certificates that enable authentication and encryption across networks. Despite its critical role, AD CS is often undermined by insecure default configurations and design complexities, resulting in exploitable attack surfaces. According to a new technical deep-dive from Unit 42, misconfigured templates and overly permissive enrollment rights have made AD CS a high-impact, under-monitored vector for privilege escalation and unauthorized identity impersonation in modern environments.
Unlike traditional vulnerability exploitation, AD CS attacks rarely rely on zero-day vulnerabilities or malware. Instead, adversaries misuse native certificate issuance to impersonate privileged accounts, escalate privileges, and establish persistence. Unit 42 observations and industry reporting show that these weaknesses are actively exploited by both financially motivated ransomware groups and state-sponsored actors. The research provides a comprehensive breakdown of the attacker's toolkit and their evolving operational behaviors, covering certificate template misconfigurations and shadow credential misuse.
The AD CS exploitation lifecycle typically encompasses five phases: initial access via phishing or credential theft, discovery of CA servers and templates, exploitation of misconfigured templates to request certificates or register cryptographic keys, privilege escalation to domain administrator, and persistence through forged certificates or rogue CAs. Unit 42 highlights that certificate issuance is an expected administrative function that often appears as normal network activity, making AD CS a powerful adversarial tool because exploitation frequently evades detection.
Key contributing factors to the ongoing risk include widespread misconfigurations, complexity breeding mistakes, and limited monitoring. Organizations often deploy AD CS with default or overly permissive settings, and security teams can be hesitant to modify legacy templates for fear of disrupting production systems. Few tools natively detect certificate misuse, leaving a significant blind spot. Recent incident response investigations show attackers leveraging AD CS to escalate from low-privileged accounts to full domain dominance, making exploitation of certificate services a standard step in sophisticated intrusions.
Unit 42 provides detection strategies using behavioral analytics and event log correlation to identify stealthy AD CS abuse. For example, Cortex XDR alerts can highlight mismatches between the requesting machine and the issued certificate's identity — a behavioral signal consistent with certificate-based privilege escalation. These inconsistencies can reveal AD CS abuse even when no malware signatures are present. The article also references a social engineering campaign from August 2024 where attackers attempted to exploit CVE-2022-26923, a vulnerability allowing lower-privileged users to elevate privileges by acquiring a certificate from AD CS.
Cortex XDR and XSIAM customers are protected from this activity with Cortex User Entity Behavior Analytics (UEBA) and Cortex Cloud Identity Security. Unit 42 aims to provide defenders with unique ways to uncover stealthy AD CS abuse and address a persistent gap in enterprise security. The research underscores that despite years of highlighting AD CS risks, certificate services remain a significant attack surface that demands immediate attention from security teams.