Detections
Analytics

Mapped Certificates on Accounts

critical

Language:

Description

Microsoft provides a feature called security identity mapping, which attaches a certificate to an account or a group. This can serve as alternate credentials for authentication on resources in certain scenarios. However, having a certificate set on a privileged account or using weak certificate mapping can be dangerous, or may indicate a persistence mechanism that an attacker may have previously set.

Solution

Whenever there is an alternate security identity set on a privileged Active Directory account, you should evaluate it to decide whether or not to accept the risk of elevation of privileges. When in doubt, you can safely remove it. Remove weak certificate mapping because they are vulnerable and unsupported since February 2025 (KB5014754).
Note: This feature does not relate to the use of smart cards, which remains a strong security option for authentication with proper configuration.

See Also

Map a certificate to a user account

Mapping certificates to user accounts

Mapping a client certificate to an AD domain account using clientCertificateMappingAuthentication

KB5014754: Certificate-based authentication changes on Windows domain controllers

ADCS ESC14 Abuse Technique

Indicator Details

Name: Mapped Certificates on Accounts

Codename: C-SENSITIVE-CERTIFICATES-ON-USER

Severity: Critical

Type: Active Directory Indicator of Exposure

MITRE ATT&CK Information:

Attacker Known Tools

Gentil Kiwi: Kekeo

GhostPack: Certify