In August 2024, Rapid7 described a social engineering campaign that attempted to exploit CVE-2022-26923 by dropping and executing a file named update6.exe — a concrete example of how attackers weaponize flaws in Active Directory Certificate Services (AD CS) to elevate privileges without traditional malware signatures.
Why AD CS matters to enterprise identity
Active Directory Certificate Services (AD CS) issues the certificates that act as cryptographic identity cards across Windows enterprise environments. The service underpins user authentication, service authentication and encryption. Because certificate issuance is a routine administrative action, malicious activity that leverages AD CS frequently blends into normal operations, creating a high-impact, under-monitored attack surface when templates, enrollment policies or delegated permissions are misconfigured.
ESC1 and the anatomy of template-based escalation
Unit 42 and other reporting identify template misconfiguration as the most consistently observed escalation technique. The SpecterOps taxonomy — the ESC1 through ESC8 framework — places ESC1 at the center of modern AD CS misuse: low-privileged users with enrollment rights, combined with flags such as ENROLLEE_SUPPLIES_SUBJECT, disabled manager approval and no authorized-signature requirements, permit attackers to request certificates that authenticate as high-privileged accounts.
Attackers enumerate templates using tools like Certify or Certipy, craft a certificate signing request that supplies a subject or SAN, and receive an issued certificate that can be used for PKINIT-based Kerberos requests or service authentication. Unit 42 shows examples where behavioral mismatches — such as a requesting machine that differs from the certificate subject — surface as effective detection signals even when no malware is present.
Shadow credentials and msDS-KeyCredentialLink abuse
Beyond template misuse, Unit 42 highlights shadow credential attacks that leverage Key Trust and the msDS-KeyCredentialLink attribute. Key registration lets attackers add public keys to a target account so they can request Kerberos tickets via PKINIT without the account password. Because these keys live in Active Directory attributes, attackers can persist after password resets or revoked certificates.
A typical adversary playbook shown in the report combines template exploitation (for initial privilege gain) with msDS-KeyCredentialLink registration (for stealthy persistence): escalate using ESC1, gain domain-level control, then register attacker-controlled keys on privileged accounts to maintain long-term, passwordless access.
Tools, actors and observable patterns
Unit 42 catalogues several open-source tools that lower the barrier to AD CS abuse. Certify and Certipy focus on enumeration and exploitation of templates and CAs; PKINITtools request certificate-based Kerberos tickets; Whisker and pyWhisker manipulate msDS-KeyCredentialLink for shadow credentials. Operational use of Certipy has been observed in ransomware contexts — the DFIR Report linked to the Fog ransomware toolkit — and a 2025 CISA advisory described Fighting Ursa using Certipy and ADExplorer to collect AD CS data in a cyberespionage campaign.
These tools produce observable telemetry: repeated LDAP queries for certificate templates and msDS-KeyCredentialLink attributes, mass enumeration of AD objects, and certificate requests from unexpected accounts. Unit 42 highlights LDAP queries such as objectClass=pKICertificateTemplate and objectCategory=CN=PKI-Enrollment-Service as early warning signals.
Telemetry and detection: Event IDs and correlation
Effective detection requires correlating multiple event streams rather than flagging single events. Unit 42 recommends monitoring specific Windows events — for example, Event ID 4898 (certificate template loaded), 4886 (received certificate request), 4887 (certificate issued), 5136 (directory modification) and Kerberos events 4768/4769 (TGT and service ticket activity). Signs of dangerous template configuration include msPKI-RA-Signature = 0, CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT, and msPKI-Enrollment-Flag = 0x0.
High volumes of LDAP queries, repeated requests for sensitive objects, or queries from accounts that do not normally perform administrative lookups should be treated as suspicious. Correlating LDAP reconnaissance with certificate issuance or msDS-KeyCredentialLink changes is a recommended path to detect ESC-style misuse and shadow credential registration early.
What this means for technologists, security teams, and incident responders
- Technologists and security teams: Prioritize template configuration hygiene — restrict enrollment rights, require authorized signatures and manager approvals, and avoid ENROLLEE_SUPPLIES_SUBJECT where possible. Enable the specific audit policies and collect the Event IDs Unit 42 lists to build behavioral baselines.
- Incident responders and enterprise defenders: Monitor LDAP query patterns and correlate certificate events with directory modifications and Kerberos activity. Unit 42 recommends treating unexpected msDS-KeyCredentialLink changes as high priority, and notes that Unit 42 Incident Response can be contacted for urgent matters.
- Procurement and security operations leaders: Consider identity-aware telemetry and behavioral detection tools — Unit 42 cites Cortex XDR, XSIAM, Cortex UEBA and Cortex Cloud Identity Security as products designed to provide visibility and behavioral analytics for these attack paths.
AD CS misuse turns expected identity services into a vector for stealthy, high-value compromise. The path from a single low-privileged account to long-lived domain access frequently follows a predictable pattern: enumerate templates, exploit misconfigurations, authenticate via PKINIT, and cement persistence with shadow credentials. The detection answer in Unit 42’s analysis is not a single signature but disciplined configuration, comprehensive telemetry and correlation across LDAP, certificate and Kerberos activity. If you believe you have been compromised, Unit 42 recommends contacting its Incident Response team; their report includes regional contact numbers and guidance.
