Detections
Analytics
Mapped Certificates on Accounts
critical
Language:
Description
Microsoft provides a feature called security identity mapping, which attaches a certificate to an account or a group. This can serve as alternate credentials for authentication on resources in certain scenarios.
However, having a certificate set on a privileged account can be dangerous in case the associated certificate is not protected as well as this sensitive account. It can also indicate a persistence mechanism that an attacker may have previously set.
Solution
Whenever there is an alternate security identity set on a privileged Active Directory account, you should evaluate it to decide whether or not to accept the risk of elevation of privileges. When in doubt, you can safely remove it.
Note: This feature does not relate to the use of smart cards, which remains a strong security option for authentication with proper configuration.
See Also
Map a certificate to a user account
Mapping certificates to user accounts
Mapping a client certificate to an AD domain account using clientCertificateMappingAuthentication
Indicator Details
Name: Mapped Certificates on Accounts
Codename: C-SENSITIVE-CERTIFICATES-ON-USER
Severity: Critical
- Tactic: TA0003 - Persistence
- Techniques: T1098 - Account Manipulation
Attacker Known Tools
Gentil Kiwi: Kekeo