Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools
Unit 42 analyzes AD CS exploitation techniques including template misconfigurations and shadow credential misuse.
Summary
Unit 42 published an in-depth analysis of Active Directory Certificate Services (AD CS) exploitation, focusing on how adversaries misuse certificate template misconfigurations and shadow credentials to escalate privileges and impersonate privileged accounts without relying on zero-days or malware. The research documents advanced techniques actively exploited by ransomware groups and state-sponsored actors, and provides behavioral detection methods and telemetry patterns for defenders to identify stealthy AD CS abuse.
Full text
Threat Research CenterThreat ResearchMalware Malware Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools 14 min read Related ProductsCortexCortex CloudCortex XDRCortex XSIAMUnit 42 Incident Response By:Stav SettyTom FaktermanShachar Roitman Published:May 11, 2026 Categories:MalwareThreat Research Tags:Active DirectoryAD CS attacksCertificate templateCertipyESC1Fighting UrsaMicrosoftPKIShadow credentials Share Executive Summary Active Directory Certificate Services (AD CS) is a foundational component of Windows enterprise infrastructure, responsible for managing public key infrastructure (PKI) and issuing certificates that enable authentication and encryption across networks. Despite its critical role in the enterprise identity infrastructure, AD CS is often undermined by insecure default configurations and design complexities, resulting in exploitable attack surfaces. Due to misconfigured templates and overly permissive enrollment rights, AD CS has emerged as a high-impact, under-monitored vector for privilege escalation and unauthorized identity impersonation in modern environments. Unlike traditional vulnerability exploitation, AD CS attacks rarely rely on zero-day vulnerabilities or malware. Instead, adversaries misuse native certificate issuance to impersonate privileged accounts, escalate privileges and establish persistence. Unit 42 observations and industry reporting show that these weaknesses are actively exploited by both financially motivated ransomware groups and state-sponsored actors. We provide a technical deep-dive into advanced AD CS exploitation, including certificate template misconfigurations and shadow credential misuse. Our findings present a comprehensive breakdown of the attacker’s toolkit and their evolving operational behaviors. By studying behavioral analytics, event log correlation and linking offensive techniques to actionable telemetry, it is possible to create dynamic and comprehensive detection strategies. Our detection methods reveal patterns and methods that extend beyond traditional signature-based approaches. We aim to provide defenders with unique ways to uncover stealthy AD CS abuse and address a persistent gap in enterprise security. Cortex XDR and XSIAM customers are protected from this activity with Cortex User Entity Behavior Analytics (UEBA) and Cortex Cloud Identity Security. If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team. Related Unit 42 Topics Active Directory, Fighting Ursa, Microsoft Introduction: The Critical Role (and Risk) of AD CS AD CS is the backbone of enterprise public key infrastructure (PKI). At its core is the certificate authority (CA), the service responsible for issuing and managing digital certificates. These certificates are cryptographic identity cards that prove that a user, device or service is what it claims to be. Organizations rely on AD CS for: User authentication: Certificates enable single sign-on and client authentication across services Service authentication: Internal services and domain controllers validate identity using PKI Encryption: Certificates underpin secure communications within and outside the enterprise The same capabilities that make AD CS indispensable also create risk. To manage certificate issuance, AD CS uses certificate templates, which define who can request certificates, what they can be used for, and the permissions required. When misconfigured, these templates may grant long-lived authentication or privileged access, effectively providing complete control over a network. Certificate issuance is an expected administrative function that often appears as normal network activity. This makes AD CS a powerful adversarial tool, because exploitation frequently evades detection. In the AD CS issuance workflow, the CA issues certificates according to the policies defined in certificate templates, and users and services use the resulting certificates for authentication and encryption. Figure 1 illustrates this flow. Figure 1. PKI architecture showing CA → Templates → Certificates → Users and Services. For additional background on AD CS fundamentals, see Detecting AD CS Abuse. Ongoing Exploitation and Blind Spots Despite years of research highlighting AD CS risks, certificate services remain a significant attack surface. Key contributing factors include: Widespread misconfigurations: Organizations often deploy AD CS with default or overly permissive settings. Complexity breeding mistakes: Consistently securing each configuration surface is a daunting task when combined with the need to manage dozens of certificate templates, enrollment policies and delegated permissions. Because certificate services support critical authentication workflows, security teams can be hesitant to modify legacy templates or tighten permissions, for fear of disrupting production systems. Limited monitoring: Few tools natively detect certificate misuse. Recent incident response investigations show attackers leveraging AD CS to escalate from low-privileged accounts to full domain dominance. Exploiting certificate services is no longer rare; it has become a standard step in sophisticated intrusions. In August 2024, Rapid7 described a social engineering campaign in which attackers attempted to escalate privileges by exploiting CVE-2022-26923. This vulnerability allows a lower-privileged user to elevate their privileges by acquiring a certificate from the AD CS. The attackers tried to exploit it by dropping and executing a file named update6.exe. Figure 2 shows a Cortex XDR alert that is triggered when update6.exe attempts to exploit CVE-2022-26923. The alert highlights a mismatch between the requesting machine and the issued certificate’s identity — a behavioral signal that is consistent with certificate-based privilege escalation. These inconsistencies can reveal AD CS abuse even when no malware signatures are present. Figure 2. An alert on the detection and prevention of CVE-2022-26923, as seen in Cortex XDR. Phase Breakdown: How AD CS Attacks Work The AD CS exploitation lifecycle typically encompasses five phases: Initial access: Compromising low-privileged accounts via phishing, credential theft or other vectors Discovery: Enumerating CA servers, certificate templates, enrollment permissions and account keys Exploitation: Misusing misconfigured templates to request certificates or register cryptographic keys for privileged accounts Privilege escalation and lateral movement: Using certificates or keys with public key cryptography for initial authentication (PKINIT) to request Kerberos tickets and impersonate privileged users Persistence: Maintaining access through shadow credentials, key trust misuse and certificate renewal Figure 3 illustrates this sequence of operations, demonstrating how AD CS acts as a force multiplier that turns a single compromised account into long-term access across an enterprise. Figure 3: AD CS attack lifecycle diagram. Deep Dive: Key AD CS Attack Techniques The key adversarial tactics, techniques and procedures (TTPs) that target AD CS include certificate template misconfigurations and shadow credential abuse. Certificate Template Misuse and Misconfigurations Certificate templates define how AD CS issues certificates, including who can request them and what privileges the certificates grant. Exploiting misconfigurations in certificate templates is one of the most common ways that attackers escalate privileges. Common misconfigurations include: Low-privileged users allowed to enroll in high-privileged templates: This effectively lets attackers mint authentication certificates for accounts that they should not control Dangerous template flags enabled: For example, the “Supply in the request” option (ENROLLEE_SUPPLIES_SUBJECT) lets the requester define the certificate subject in the certificate signing request (CSR), enabling impersonation Broad group enrollment rights: Assigni
Indicators of Compromise
- malware — update6.exe
- cve — CVE-2022-26923