Unit 42 Exposes Two Key AD CS Escalation Techniques
Palo Alto Networks' Unit 42 has issued an urgent analysis detailing how attackers exploit Active Directory Certificate Services (AD CS) through template misconfigurations and shadow credential misuse. The report provides behavioral detection strategies for defenders.
Attackers can abuse poorly configured certificate templates to request certificates with elevated privileges, or use shadow credentials to authenticate as high-value accounts. These techniques allow lateral movement and privilege escalation within AD environments.
Template Misconfigurations: A Silent Threat
Unit 42 researchers found that misconfigured certificate templates—such as those allowing domain user enrollment with 'Client Authentication' EKU—enable attackers to impersonate privileged users. “These are not novel exploits, but they remain highly effective because organizations fail to audit template settings,” said a Unit 42 senior analyst.
Attackers can issue a certificate for a domain admin account, then use it to generate Kerberos tickets and access any resource. Proper template hardening is essential to block this path.
Shadow Credential Misuse: Abusing Key Trusts
Shadow credentials involve adding a malicious Key Credential to a target object (like a user or computer) via AD CS, allowing the attacker to request Kerberos tickets without knowing the target's password. Unit 42 warns that this technique bypasses traditional authentication controls.
“Shadow credentials turn AD CS into a privilege escalation weapon,” the analyst added. “We see attackers exploiting this in ransomware campaigns to move laterally.”
Background
Active Directory Certificate Services is a core component of many organizations' PKI infrastructure, issuing digital certificates for authentication and encryption. Its complex configuration often leads to security gaps.
Previous research (e.g., SpecterOps' 'Certified Pre-Owned') cataloged several escalation vectors (ESC1-ESC8). Unit 42's new analysis focuses specifically on template-based misconfigurations and shadow credential attacks, both of which remain prevalent in real-world breaches.
What This Means
For defenders, this analysis underscores the need to harden AD CS configurations immediately. Unit 42 provides behavioral detection rules to spot anomalous certificate requests—such as enrollments by non-admin accounts for administrative templates.
Organizations should audit all certificate templates, restrict enrollment rights, and monitor for Shadow Credential creation using tools like Event IDs 5136 or 4662. Failure to act leaves a critical privilege escalation path open.
“This is not just about patching—it's about understanding AD CS as an attack surface,” the Unit 42 senior analyst cautioned. “Every minute of delay gives attackers another tool.”