ReCertifying Active Directory Certificate Services

Conference:  BlackHat USA 2021



The presentation discusses the dangers of mishandling Active Directory Certificate Services (ADCS) and provides insights on how attackers can exploit it. It also offers recommendations on how to protect against these attacks.
  • ADCS can be dangerous if not handled properly and attackers are using it to their advantage
  • The presentation details various attacks that can be executed using ADCS, including certificate theft, persistence, domain escalation, and domain persistence
  • The tool Certify can be used to enumerate vulnerable templates and request templates for abuse
  • Defenses include developing an incident response plan, auditing relevant event logs, and checking out the white paper for guidance
  • Acknowledgements are given to previous work and collaborators
The presentation highlights the ease with which attackers can persist in someone's account context by actively enrolling in a vulnerable certificate template. This can be done without touching LSAs or requiring elevation for user contacts. The certificate obtained can be used to authenticate as that person or computer at a later point, potentially for years. The presentation also notes that many organizations do not have proactive defenses against this type of attack.


Microsoft's Active Directory Public Key Infrastructure (PKI) implementation, known as Active Directory Certificate Services (AD CS), has unfortunately flown under the radar of the defensive industry. AD CS is widely deployed and provides attackers opportunities for credential theft, machine persistence, domain escalation, and subtle domain persistence. We present relevant background on certificates in Active Directory, briefly overview the attacks possible, and present preventive, detective, and indecent response guidance for how to secure organizations against these abuses. By presenting the most comprehensive guidance on securing AD CS we hope to give organizations the information and tools they need to secure these complex, widely deployed, and often misunderstood systems.