Even after 25 years, Active Directory is still a prime target for attacks. Just last month, Microsoft issued a security advisory about a new vulnerability in Active Directory Certificate Services (AD CS) that could allow attackers to perform denial-of-service (DoS) attacks over a network.
DoS attacks are only one part of the picture, as AD CS can also be exploited for more covert threats, where certificate activity appears normal but bypasses typical detection rules.
SecureFlag has launched a new learning path for SOC analysts, “Attack Analysis Against Active Directory Certificate Services,” designed to help detect and mitigate these types of attacks.
What is Active Directory?
Active Directory (AD) is Microsoft’s directory service that manages users, groups, computers, and access control across a domain. It’s what makes centralized identity management possible, and it’s used by nearly every large organization that runs on Windows.
When logging into a company computer, accessing a shared folder, or opening an internal app, AD is usually working quietly in the background.
A typical AD setup includes:
-
Domain Controllers (DCs): The servers that authenticate users and enforce security policies.
-
Organizational Units (OUs): Logical folders used to organize users and devices.
-
Group Policy Objects (GPOs): Rules pushed out to machines and accounts to control settings and behavior.
-
Kerberos: The authentication protocol that powers AD’s secure logins.
If attackers gain control over AD, they can move freely across the network, escalate privileges, and steal sensitive information. So, it’s no surprise that AD is often a prime target in enterprise breaches.
Understanding AD CS
Active Directory Certificate Services extends AD by adding Public Key Infrastructure (PKI) capabilities. Organizations can issue and manage certificates used for authentication, encryption, and digital signatures.
Certificates issued by AD CS are used for:
-
Smart card logins
-
Client/server authentication
-
Email encryption
-
VPN access
-
BitLocker encryption
-
Code signing
Since AD CS controls who gets certificates and under what circumstances, a mistake in the configuration can lead to serious security issues. Misconfigured certificate templates, overly permissive enrollment policies, and vulnerable protocols can all be exploited by attackers.
A few weeks ago, an attack targeting a known flaw in AD showed how unpatched systems remain vulnerable to complete domain takeover.
Certificate-Based Authentication
Instead of using just a password to authenticate, a user (or system) can present a digital certificate that proves their identity with cryptographic keys.
The problem is that AD CS trusts the certificates it issues. If an attacker can trick AD CS into issuing a certificate to them, even for a low-privilege account, they may be able to authenticate to domain resources without detection. And if the certificate lets them impersonate a privileged user, things could go very wrong.
Once an attacker gets their hands on a certificate, they can:
-
Log in as another user (even admins).
-
Persist in the network for an extended time.
-
Bypass MFA (since certificates are often treated as sufficient proof of identity).
Different attack examples, as seen in the “Certified Pre-Owned” research by Lee Christensen and Will Schroeder, show just how dangerous this can be.
Safeguard Your AD CS Environment with SecureFlag
Too often, certificate services are set up once and forgotten. But attackers haven’t forgotten them; they’re actively looking for misconfigurations to exploit. And because these attacks blend in with regular activity, they’re hard to detect without proper knowledge and skills.
Our new learning path helps participants understand how these attacks work, how to detect them, and how to reduce the risk through proper configuration and monitoring.
We start by covering the fundamentals of AD CS, and our hands-on labs provide training covering topics like:
-
Escalating privileges: See how attackers can abuse AD CS to request certificates that let them act as domain admins.
-
NTLM relay attacks: Learn how attackers can capture and forward NTLM authentication to vulnerable AD CS endpoints to obtain certificates, without ever needing valid credentials.
-
Kerberos relay attacks: Stop Kerberos from being exploited to impersonate users and move laterally using stolen certificates.
SecureFlag changes AD CS attack analysis from theory into action. This learning path helps SOC teams develop practical skills to detect, investigate, and respond to certificate-based threats that often go undetected.
