ACTIVE Directory Certificate Services (AD CS) sits at the heart of Windows PKI but is frequently misconfigured, creating high-risk surfaces for privilege escalation and impersonation in modern networks. Unit 42 notes that attacks rely less on zero‑days or malware and more on misused certificate issuance, certificate templates and shadow credentials to persist and impersonate privileged accounts, with open‑source tools such as Certify and Certipy enabling enumeration and exploitation of templates.
The article details ESC1 as a common escalation path, requiring misconfigured templates and enrollment rights that let low‑privileged users obtain certificates for high‑privileged accounts, often evidenced by Certipy outputs and template flags like ENROLLEE_SUPPLIES_SUBJECT.
It also explains how shadow credentials exploit Key Trust and PKINIT to obtain Kerberos tickets, enabling passwordless persistence, and highlights a growing toolkit ecosystem around PKINIT, certificate templates and certificate‑based authentication.
The piece cites a 2024 Rapid7 social‑engineering campaign exploiting CVE-2022-26923 and notes a 2025 advisory attributing activity to Fighting Ursa, underscoring the ongoing risk and detection challenges beyond traditional malware signatures, while recommending event monitoring and behavioural analytics such as Cortex XDR/XSIAM UEBA to detect AD CS abuse.