Abuse of Active Directory Certificate Services has been on the rise since 2021, with a growing number of techniques to abuse misconfigured template or vulnerable services. These are fairly common in enterprise environments and can provide attackers with a path to easily authenticate as a domain administrator from any standard domain account.

I can highly recommend the posts by Raul Carmona and colleagues on ADCS attack paths:

• https://www.beyondtrust.com/blog/entry/esc1-attacks
• https://www.beyondtrust.com/blog/entry/esc4-attacks

We also have a webinar on the topic which includes an explanation and a demo of how these attacks work:

• https://www.beyondtrust.com/webinars/iam-leaders-and-ad-admins-are-ad-cs-misconfigurations-and-similar-issues-giving-every-user-a-path-to-your-domain-admin

A few questions for discussion:

• Is this an area that you are actively looking into?
• Do you need assistance or education in these areas to help you understand them better?
• Have you uncovered these vulnerabilities or other related ones in your own environment and want to share your experience?