Active Directory Certificate Services (AD CS) is a server role that enables organizations to leverage public key infrastructure (PKI) as part of their on-premises services to issue and use digital certificates for authenticating identities and endpoints in Active Directory environments. As highlighted by SpecterOps in 2021, AD CS has become a prime target and leverage point in the overall attack chain to achieve post-compromise objectives.

AD CS is often challenging for cyber defenders to manage because not only is it difficult for security teams to detect when their AD CS has been compromised or leveraged for persistence, but the actual remediation and hardening steps can be rather complex.

To add to that complexity, while Microsoft has released updates to mitigate specific AD CS abuse scenarios, the updates are not cookie-cutter, and require organizations to thoroughly test and validate their configurations prior to February 2025. After this date, AD CS will transition to a mode that could potentially impact domain-based services, specifically when certificates are utilized to authenticate users or endpoints” (Mandiant, 2024).

Analyst Comments:
Mandiant’s guide offers actionable steps, including detailed mitigation and hardening instructions, best practices for infrastructure visibility, hunting scenarios, PowerShell queries, and information on Microsoft's patches for certificate-based authentication.

Suggested Corrections
Mandiant's resources, such as the M-Trends 2022 webinar playback and Active Directory Security Assessment datasheet, are also highlighted as valuable tools for improving Active Directory security posture. Overall, the text underscores the evolving threat landscape around AD CS and the importance of proactive measures to secure and mitigate potential abuses in Active Directory environments.

Link(s):
https://www.mandiant.com/resources/blog/defend-ad-cs-threats