AD CS Exploitation via Template Misconfigurations and Shadow Credentials
Unit 42 analysis of active AD CS abuse techniques reveals attackers leverage misconfigured certificate templates and shadow credentials to escalate from low-privileged accounts to domain dominance without malware.
Attack Brief
TargetActive Directory Certificate Services (AD CS); Windows enterprise infrastructureVectorMisconfigured certificate templates; shadow credential abuse; certificate template enrollment permission misuseAttributionFighting Ursa; financially motivated ransomware groups; state-sponsored actors
Technical Details
CVE IDsCVE-2022-26923MITRE ATT&CKT1187T1556T1098IoCsupdate6.exeAffectedAD CS default and legacy configurations; certificate templates with overly permissive enrollment rights
Impact
SectorsEnterprise infrastructureConfirmed DamagePrivilege escalation from low-privileged accounts to domain dominance; unauthorized identity impersonation; persistence establishment
Mitigation
DetectionBehavioral analytics via Cortex User Entity Behavior Analytics (UEBA); event log correlation for certificate issuance anomalies; detection of mismatches between requesting machine and issued certificate identity; Cortex Cloud Identity Security monitoring
Context
Previous CampaignsAugust 2024 Rapid7-reported social engineering campaign exploiting CVE-2022-26923 via update6.exe execution