Microsoft’s Active Directory Certificate Services (AD CS) provides essential PKI functionality for domain authentication and encryption, but it has also become a primary target for threat actors seeking privilege escalation and persistence.
We are sharing this comprehensive white paper from Mandiant Consulting to help you navigate the evolving landscape of AD CS abuse. Whether you are a defender hunting for misconfigurations or an architect preparing for Microsoft's upcoming enforcement changes, this guide provides the technical specificity required to secure your infrastructure.
What You Will Learn: This white paper moves beyond basic hardening to address complex, post-compromise scenarios and recent patch impacts, including:
- Modern Abuse Vectors: Detailed breakdowns of "Golden Certificate" attacks, NTLM relay attacks via web enrollment, and privilege escalation using Subject Alternative Name (SAN) abuse.
- The Impact of KB5014754: A technical explanation of how the May 2022 update shifted certificate mapping from "Weak" to "Strong," and how to navigate "Compatibility Mode" versus the upcoming "Full Enforcement Mode" (scheduled for February 2025).
- Hunting & Visibility: Specific guidance on using Windows Event IDs (such as 39, 41, and 4887) to detect mismatched SIDs and potential exploitation attempts of CVE-2022-26923.
- Remediation Scripts: Access to custom PowerShell scripts designed to query AD CS servers, identify misconfigured templates, and export issued certificates to audit for requester/SAN mismatches.
Download the Full White Paper Secure your Tier 0 assets and prepare your environment for full enforcement mode. Download the full guide, "Active Directory Certificate Services: Modern Attack Paths, Mitigations, and Hardening," for a complete list of hardening recommendations and detection strategies.