# Certificate Services (AD-CS) {% hint style="info" %} See [AD > Movement > Certificate Services (AD-CS)](broken://pages/GAojOJGKYLxxzUAAYPra) to know more about it. {% endhint %} ## Theory > AD CS is Microsoft’s PKI implementation that provides everything from encrypting file systems, to digital signatures, to user authentication (a large focus of our research), and more. While AD CS is not installed by default for Active Directory environments, from our experience in enterprise environments it is widely deployed, and the security ramifications of misconfigured certificate service instances are enormous. ([specterops.io](https://posts.specterops.io/certified-pre-owned-d95910965cd2)) In [their research papers](https://posts.specterops.io/certified-pre-owned-d95910965cd2), [Will Schroeder](https://twitter.com/harmj0y) and [Lee Christensen](https://twitter.com/tifkin_) shared their research on AD CS and identified multiple theft, escalation and persistence vectors. * **Credential theft** (dubbed THEFT1 to THEFT5) * **Account persistence** (dubbed PERSIST1 to PERSIST3) * **Domain escalation** (dubbed ESC1 to ESC8) * based on [misconfigured certificate templates](/ad/movement/ad-cs/certificate-templates.md) * based on [dangerous CA configuration](/ad/movement/ad-cs/certificate-authority.md) * related to [access control vulnerabilities](/ad/movement/ad-cs/access-controls.md) * based on an NTLM relay vulnerability related to the [web endpoints of AD CS](/ad/movement/ad-cs/unsigned-endpoints.md) * **Domain persistence** (dubbed DPERSIST1 to DPERSIST3) * by [forging certificates with a stolen CA certificates](/ad/persistence/ad-cs/certificate-authority.md#stolen-ca) * by [trusting rogue CA certificates](/ad/persistence/ad-cs/certificate-authority.md#rogue-ca) * by [maliciously creating vulnerable access controls](/ad/persistence/ad-cs/access-controls.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://red.infiltr8.io/ad/persistence/ad-cs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.