ADCS Dangerous Misconfigurations

critical

Description

Misconfigurations of Active Directory Certificate Services (AD CS) PKI objects in Active Directory can lead to an elevation to administrator privileges from a standard account, but also persistence (using the "Golden Certificate" technique).

Solution

Certain ADCS PKI parameters can significantly affect the security of the entire Active Directory and therefore require careful configuration.

See Also

Microsoft ADCS - Abusing PKI in Active Directory Environment

Certified Pre-Owned

Indicator Details

Name: ADCS Dangerous Misconfigurations

Codename: C-PKI-DANG-ACCESS

Severity: Critical

MITRE ATT&CK Information:

Attacker Known Tools

Certify

Certipy

ForgeCert