Theory

AD CS is Microsoft’s PKI implementation that provides everything from encrypting file systems, to digital signatures, to user authentication (a large focus of our research), and more. While AD CS is not installed by default for Active Directory environments, from our experience in enterprise environments it is widely deployed, and the security ramifications of misconfigured certificate service instances are enormous. ()

In , and shared their research on AD CS and identified multiple theft, escalation and persistence vectors.

• Credential theft (dubbed THEFT1 to THEFT5)

• Account persistence (dubbed PERSIST1 to PERSIST3)

• Domain escalation (dubbed ESC1 to ESC8)

  • based on

  • based on

  • related to

  • based on an NTLM relay vulnerability related to the

• Domain persistence (dubbed DPERSIST1 to DPERSIST3)

  • by

  • by

  • by