Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Company
Platform
Modern NDR
Resources
Company
DETECTION OVERVIEW
Risk Factors
Attack tools facilitate Active Directory (AD) reconnaissance by running scripts to enumerate Certificate Templates. This technique requires an attacker to have domain credentials in an AD environment with AD Certificate Services (AD CS) implemented, which is less common compared to other enumeration techniques. An attacker can exploit a discovered Certificate Template to gain elevated privileges.
AD CS is a Windows server role that acts as a Certificate Authority (CA) for issuing, managing, and revoking certificates. Certificate Templates are the specific rules and settings AD CS follows to determine who receives certificates and what privileges those certificates grant.
Misconfigurations in Certificate Templates enable a user to escalate their privileges. Enumeration techniques help an attacker identify which templates are available and vulnerable for exploitation.
An attacker runs scripts from tools such as Certipy and Metasploit to send an LDAP request with the searchRequest method that queries all template objects, but also includes filters and requests for specific attributes, such as msPKI-Certificate-Name-Flag. This type of request exposes vulnerabilities in the templates. After an attacker successfully enumerates sensitive template details, they can request a certificate to obtain privileged credentials for greater access to the AD domain.
Review Certificate Template attributes for appropriate enrollment rights and security settings.
Because securing LDAP servers can be difficult without compromising functionality, monitor and investigate unusual LDAP activity quickly to minimize potential damage.
