← Back to Cybersecurity News Center
Severity
HIGH
Priority
0.873
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
Active Directory Certificate Services (AD CS) remains an actively exploited escalation path enabling full domain compromise from low-privileged footholds, with ransomware operators and state-sponsored actors both documented as active exploiters. Unit 42's analysis confirms a five-phase attack lifecycle that bypasses signature-based defenses, anchored by CVE-2022-26923 (CVSS 7.5) and misconfigured certificate templates that most organizations leave in place out of fear of disrupting legacy authentication workflows. The persistence of this threat reflects a structural gap: known-exploitable configurations are present in production because template modification introduces operational change risk that many organizations defer, creating a window where the security risk remains unmitigated.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
Ransomware operators (unspecified), State-sponsored actors (unspecified)
TTP Sophistication
HIGH
10 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Microsoft Active Directory Certificate Services (AD CS), Windows Hello for Business, Kerberos/PKINIT authentication
Are You Exposed?
⚠
Your industry is targeted by Ransomware operators (unspecified), State-sponsored actors (unspecified) → Heightened risk
⚠
You use products/services from Microsoft Active Directory Certificate Services (AD CS) → Assess exposure
⚠
10 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
Successful AD CS exploitation grants attackers domain-level control of Active Directory — the authentication backbone of most enterprise Windows environments — without triggering password-based alerting, meaning the breach can persist undetected through credential rotation and standard incident response procedures. For organizations in regulated industries (healthcare, financial services, critical infrastructure), domain compromise creates direct exposure under data protection and operational continuity obligations, since domain controllers govern access to protected data stores, backup systems, and operational technology gateways. The ransomware operator presence in Unit 42's reporting signals that this is not an advanced persistent threat exclusive to high-value targets: it is an industrialized pre-deployment technique, making any organization running misconfigured AD CS a viable ransomware target regardless of industry.
You Are Affected If
Your organization runs Active Directory Certificate Services (AD CS) in any Windows domain environment
Your environment has certificate templates configured with enrollee-supplied Subject Alternative Names and broad enrollment permissions (ESC1 condition)
Your organization uses Windows Hello for Business or PKINIT-based certificate authentication and has not applied the May 2022 patch for CVE-2022-26923
Your Active Directory environment includes legacy certificate templates that administrators have been reluctant to modify due to authentication workflow dependencies
Your security tooling relies primarily on signature-based or password-focused detection, with limited behavioral analytics covering Kerberos certificate-based authentication and AD CS enrollment events
Board Talking Points
Attackers are actively exploiting a known flaw in Microsoft's certificate authentication system to gain full administrative control of corporate networks — ransomware groups are documented users of this technique as of May 2026.
Security teams should be directed to audit our certificate configuration and confirm patch status for CVE-2022-26923 within 30 days, with findings reported back to leadership.
Without this audit and remediation, a single compromised low-level account could give an attacker complete control of our network infrastructure, surviving standard password-reset incident response.
Technical Analysis
AD CS exploitation has graduated from a niche post-exploitation technique to a reliable primary escalation path used by ransomware operators and nation-state actors alike.
Unit 42's analysis documents the attack chain across five phases, each with distinct tooling and behavioral signatures that security teams can instrument for detection.
The attack typically begins with a low-privileged foothold, compromised credentials, a phishing lure, or supply chain access, and then pivots to certificate abuse.
The ESC1 misconfiguration is the most commonly weaponized template flaw: when a certificate template allows requesters to supply an arbitrary Subject Alternative Name (SAN), an attacker can request a certificate asserting the identity of any user in the domain, including domain administrators. This certificate is then used through Kerberos PKINIT authentication (T1558 , T1550.003 ) to obtain a Ticket Granting Ticket (TGT) as the impersonated account.
Shadow credentials (a variant of T1649 , Steal or Forge Authentication Certificates) extend this surface. By writing to the msDS-KeyCredentialLink attribute of a target object, possible whenever an attacker holds write permissions on that object, attackers plant a certificate credential that survives password resets. This technique is particularly dangerous because it establishes persistence that conventional credential hygiene does not remediate.
CVE-2022-26923 (NVD, Microsoft MSRC) is the anchor vulnerability: a privilege escalation flaw in the AD CS enrollment process affecting Windows environments running Windows Hello for Business. An authenticated attacker can craft a certificate request that impersonates a domain controller, enabling full domain compromise. Microsoft patched this in May 2022, but patch deployment and template remediation are not synonymous, vulnerable template configurations persist in patched environments.
The institutional blind spot Unit 42 identifies is operationally significant: administrators frequently decline to modify legacy certificate templates because doing so risks breaking authentication workflows for services, devices, and users dependent on those templates. This produces a documented, exploitable condition that survives patch cycles.
The MITRE ATT&CK footprint is broad: T1134 (Access Token Manipulation), T1136 (Create Account), T1558 (Steal or Forge Kerberos Tickets), T1078 (Valid Accounts), T1550.001 (Application Access Token), T1484 (Domain Policy Modification), T1649 (Steal or Forge Authentication Certificates), T1552.001 (Credentials in Files), T1550.003 (Pass the Ticket), and T1195.002 (Compromise Software Supply Chain) are all mapped to this campaign pattern. The breadth of this mapping reflects how AD CS exploitation serves as both an initial access amplifier and a persistence mechanism, not merely a privilege escalation step.
Detection coverage noted for Palo Alto Cortex XDR and XSIAM specifically, with behavioral analytics targeting certificate enrollment anomalies and Kerberos ticket abuse patterns. Organizations without these platforms should review their SIEM and EDR coverage against the behavioral patterns documented in the five-phase lifecycle.
Action Checklist IR ENRICHED
Triage Priority:
URGENT
Escalate immediately to incident response if Event ID 4887 shows any certificate issued with a SAN value matching a privileged account (Domain Admin, Enterprise Admin, Schema Admin) from a non-privileged requester, or if any msDS-KeyCredentialLink value is detected on a privileged account that was not placed there by an authorized provisioning system — either condition indicates active exploitation of CVE-2022-26923 or shadow credential abuse and constitutes a domain-level compromise requiring breach notification assessment under applicable regulatory frameworks (HIPAA, PCI-DSS, SEC Cybersecurity Disclosure Rules).
1
Step 1: Assess exposure, determine whether your environment runs Active Directory Certificate Services with any certificate templates configured for client authentication. Audit specifically for ESC1 conditions: templates that allow Subject Alternative Name specification by the requester, combined with overly permissive enrollment permissions (authenticated users or domain computers).
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: establishing IR capability and understanding asset exposure before an incident occurs
NIST SI-2 (Flaw Remediation)
NIST RA-3 (Risk Assessment)
NIST CM-6 (Configuration Settings)
NIST CA-7 (Continuous Monitoring)
CIS 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Run Certify.exe (GhostPack) as a low-privileged domain user: `Certify.exe find /vulnerable` — this enumerates templates with msPKI-Certificate-Name-Flag set to ENROLLEE_SUPPLIES_SUBJECT and overly broad enrollment ACLs. Alternatively, use PSPKIAudit (free, PowerShell): `Invoke-PKIAudit` outputs ESC1–ESC8 findings without requiring admin rights. Cross-reference output against `certutil -catemplates` to confirm which templates are actively published on your CA.
Preserve Evidence
Before auditing, snapshot the current state of certificate templates for baseline comparison: export `HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA Name>\CAServerName` and run `certutil -v -dstemplate > templates_baseline.txt`. Capture the msDS-KeyCredentialLink attribute state for high-value accounts (domain admins, service accounts) via `Get-ADUser -Filter * -Properties msDS-KeyCredentialLink | Where-Object {$_.msDS-KeyCredentialLink -ne $null}`. This pre-audit snapshot establishes the forensic baseline needed to detect shadow credential insertion post-compromise.
2
Step 2: Review controls, verify patch status for CVE-2022-26923 across all domain controllers and CA servers (Microsoft patched May 2022). Separately audit certificate template configurations using tools such as Certify or PSPKIAudit to identify ESC1 through ESC8 misconfigurations. Confirm that msDS-KeyCredentialLink attribute write permissions are restricted to intended principals to limit shadow credential abuse.
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: ensuring systems are hardened and controls are verified prior to exploitation
NIST SI-2 (Flaw Remediation)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CM-6 (Configuration Settings)
NIST IA-5 (Authenticator Management)
CIS 7.3 (Perform Automated Operating System Patch Management)
CIS 7.4 (Perform Automated Application Patch Management)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Verify CVE-2022-26923 patch (KB5014754) deployment across all DCs with: `Get-HotFix -Id KB5014754 -ComputerName (Get-ADDomainController -Filter *).Name | Select PSComputerName,InstalledOn`. For msDS-KeyCredentialLink ACL review without enterprise tooling, run: `(Get-ACL 'AD:CN=<TargetUser>,DC=domain,DC=com').Access | Where-Object {$_.ActiveDirectoryRights -match 'WriteProperty' -and $_.ObjectType -eq '5b47d60f-6090-40b2-9f37-2a4de88f3063'}` — that GUID is the msDS-KeyCredentialLink attribute schema ID. Flag any principal outside SYSTEM, Domain Admins, and Key Admins.
Preserve Evidence
Collect patch compliance evidence before proceeding: run `wmic qfe list full /format:csv > dc_patch_inventory.csv` on each DC and CA server. For CVE-2022-26923 specifically, confirm the StrongCertificateBindingEnforcement registry key value at `HKLM\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement` — a value of 0 on any DC means the patch enforcement mode is disabled and the system remains exploitable despite patching. Capture Active Directory replication metadata for msDS-KeyCredentialLink on privileged accounts using `Get-ADReplicationAttributeMetadata -Object <DN> -Server <DC> -ShowAllLinkedValues` to identify any unauthorized writes that predate your audit.
3
Step 3: Update threat model, add AD CS certificate template abuse (ESC1), shadow credential persistence (T1649), and Kerberos PKINIT ticket forging (T1558/T1550.003) to your threat register. Flag both ransomware operator and state-sponsored actor categories as active exploiters of this path per recent threat intelligence reporting.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection & Analysis: integrating threat intelligence to improve detection accuracy and prioritize monitoring
NIST IR-4 (Incident Handling)
NIST IR-5 (Incident Monitoring)
NIST SI-5 (Security Alerts, Advisories, and Directives)
NIST RA-3 (Risk Assessment)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
Map Unit 42's five-phase AD CS attack lifecycle directly to MITRE ATT&CK: initial foothold → T1078 (Valid Accounts), ESC1 template abuse → T1649 (Steal or Forge Authentication Certificates), PKINIT ticket request → T1558 (Steal or Forge Kerberos Tickets), lateral movement → T1550.003 (Pass the Ticket), ransomware pre-deployment → T1486 (Data Encrypted for Impact). Add Sigma rules from SigmaHQ for certificate services abuse (search `sigma/rules/windows/builtin/security/` for `win_security_certificate_request` and `win_ad_account_enumeration`) to deploy against Windows Security event logs without a SIEM — parse with `sigma convert -t powershell` and schedule via Task Scheduler.
Preserve Evidence
Before updating the threat model, pull historical Windows Security Event Log Event ID 4886 (Certificate Services received a certificate request) and Event ID 4887 (Certificate Services approved a certificate request and issued a certificate) from the CA server going back 90 days — ESC1 exploitation will show certificate requests where the SAN field contains a privileged account UPN (e.g., administrator@domain.com) submitted by a non-privileged requester account. Also extract Event ID 4769 (Kerberos Service Ticket Request) filtered for ticket encryption type 0x11 or 0x12 (AES) with certificate-based pre-authentication (PA-DATA type 17 or 16), which indicates PKINIT usage that may represent forged ticket activity.
4
Step 4: Communicate findings, brief leadership on whether your organization's AD CS deployment has been assessed for template misconfigurations. Frame the risk specifically: a low-privileged compromised account can become a domain administrator without triggering password-based detection, and this path is actively used in ransomware pre-deployment phases.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection & Analysis: communicating incident scope and impact estimates to authorized staff and leadership
NIST IR-6 (Incident Reporting)
NIST IR-8 (Incident Response Plan)
NIST IR-4 (Incident Handling)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
Produce a one-page AD CS risk brief quantified with output from Certify or PSPKIAudit: state the number of ESC1-vulnerable templates found, the number of principals with enrollment rights (from `Get-ADGroupMember 'Authenticated Users'` scope), and the blast radius — any of those principals can request a certificate impersonating Domain Admin without a password change. Reference the Unit 42 May 2026 finding that ransomware operators use this path specifically in the pre-deployment phase to establish persistence before encryption begins, making it a direct business-continuity risk.
Preserve Evidence
Gather supporting evidence for the leadership brief before the meeting: export the output of `Certify.exe find /vulnerable` with template names, enrollment permissions, and SAN flags clearly identified. Pull a 90-day count of certificate issuances from Event ID 4887 on the CA server, broken down by requesting account, to show leadership whether certificate issuance volume is anomalous. If any certificate was issued to a SAN value matching a privileged account (DA, EA, Schema Admin) from a standard user requester, document that finding explicitly — it may indicate active exploitation requiring immediate escalation beyond a briefing.
5
Step 5: Monitor developments, track published indicators and follow-up analysis. Monitor CISA advisories and Microsoft MSRC for CVE-2022-26923 status; if escalated to the Known Exploited Vulnerabilities catalog, remediation becomes mandated in federal and regulated environments.
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: updating policies, improving detection capability, and integrating threat intelligence to prevent recurrence
NIST IR-5 (Incident Monitoring)
NIST SI-5 (Security Alerts, Advisories, and Directives)
NIST IR-8 (Incident Response Plan)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Subscribe to the CISA KEV RSS feed (https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json) and parse it with a daily cron job or scheduled PowerShell task that alerts if CVE-2022-26923 appears: `Invoke-RestMethod -Uri 'https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json' | Select-Object -ExpandProperty vulnerabilities | Where-Object {$_.cveID -eq 'CVE-2022-26923'}`. For continuous AD CS monitoring without a SIEM, deploy a scheduled task on the CA server that exports new Event ID 4887 issuances daily and emails the list to the security team for manual review of SAN field values.
Preserve Evidence
Maintain ongoing collection of CA server Event IDs 4886, 4887, and 4888 (certificate request denied) as your persistent forensic baseline for AD CS activity. Additionally, configure persistent monitoring of the msDS-KeyCredentialLink attribute by scheduling `Get-ADUser -Filter * -Properties msDS-KeyCredentialLink | Where-Object {$_.msDS-KeyCredentialLink -ne $null} | Export-Csv msds_keycredentiallink_snapshot_$(Get-Date -Format yyyyMMdd).csv` daily — delta comparison between daily snapshots will surface unauthorized shadow credential additions targeting privileged accounts, which is the persistence mechanism Unit 42 documented as surviving password resets and remaining undetected by password-based monitoring.
Recovery Guidance
After containing an AD CS compromise, revoke all certificates issued from ESC1-vulnerable templates during the exploitation window using `certutil -revoke <SerialNumber>` and publish a new CRL immediately via `certutil -crl` on the CA server — do not rely on certificate expiration to neutralize forged credentials. Remediate template misconfigurations by disabling ENROLLEE_SUPPLIES_SUBJECT flag (msPKI-Certificate-Name-Flag) on vulnerable templates and restricting enrollment permissions to named service accounts rather than Authenticated Users or Domain Computers. Monitor Event ID 4769 (Kerberos TGS requests) filtered for PKINIT pre-authentication for a minimum of 30 days post-remediation to detect any attacker-held certificates still generating valid Kerberos tickets before the revocation chain propagates fully.
Key Forensic Artifacts
CA Server Windows Security Event Log — Event IDs 4886 (certificate request received), 4887 (certificate issued), and 4888 (request denied): filter for SAN field values containing privileged account UPNs (administrator@, DA accounts) submitted by non-privileged requesters, which is the direct forensic signature of ESC1 exploitation via CVE-2022-26923
Active Directory attribute replication metadata for msDS-KeyCredentialLink on all privileged accounts: run `Get-ADReplicationAttributeMetadata` to identify unauthorized writes with timestamps, originating DC, and writing principal — shadow credential insertion by an attacker will appear as a write from a non-standard principal (not SYSTEM, Key Admins, or Azure AD Connect)
Domain Controller Kerberos Event Log — Event ID 4768 (TGT request) and 4769 (TGS request) filtered for certificate-based pre-authentication (PA-TYPE 17/16 in the pre-authentication data field): PKINIT-based ticket requests using forged or ESC1-obtained certificates will appear here and are distinct from password-based Kerberos flows
Registry key `HKLM\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement` on all DCs: a value of 0 confirms the CVE-2022-26923 patch enforcement mode is disabled regardless of KB5014754 installation status, and this key state is forensically significant to establishing exploitability at the time of any suspected incident
Certutil CA database export (`certutil -view -out RequestID,RequesterName,SubjectAltName,NotBefore,NotAfter csv > ca_issued_certs.csv`): this flat-file export of all issued certificates allows offline timeline analysis to identify any certificate whose SAN differs from the requester's own identity, the definitive artifact of ESC1 exploitation without requiring SIEM access
Detection Guidance
Detection for AD CS exploitation requires behavioral analytics beyond signature matching.
Key areas to instrument:
**Certificate Enrollment Anomalies:** Monitor AD CS enrollment logs (Event ID 4886 and 4887 on the CA server) for certificate requests where the Subject Alternative Name differs from the requesting account's identity.
Flag any certificate issued to a non-CA account asserting a domain controller or privileged account identity.
Note: The following detection strategies assume Windows CA role is deployed. Organizations without on-premise CA infrastructure should focus on endpoint-based Kerberos authentication anomalies.
**msDS-KeyCredentialLink Writes:** Alert on writes to the msDS-KeyCredentialLink attribute on user or computer objects (Windows Security Event ID 5136, Directory Service Object Modified). Legitimate writes are rare and typically originate from Windows Hello for Business provisioning. Any write from an unexpected principal warrants investigation.
**Kerberos PKINIT Abuse:** Hunt for Kerberos TGT requests using certificate-based pre-authentication (Event ID 4768 with pre-authentication type 16) issued to accounts that do not normally use certificate-based logon. Cross-correlate with recent certificate enrollment events for the same account.
**Privilege Escalation Indicators:** Monitor for rapid privilege transitions, accounts accessing high-value targets (domain controllers, backup infrastructure, secrets stores) shortly after certificate enrollment events. T1134 (token manipulation) and T1484 (domain policy modification) behavioral patterns should be baselined and alerted.
**Tool Behavior:** Certify.exe, Certipy, and PKINITtools are common attacker-side tools for this exploitation path. Monitor for execution of unsigned binaries querying AD CS enrollment endpoints, LDAP queries targeting certificate template objects, and anomalous use of the PKINIT protocol from workstation-class machines.
**Log Sources:** Windows CA audit logs, Active Directory audit logs (DS Access auditing enabled), Kerberos authentication events on domain controllers, and EDR process/network telemetry from endpoints performing certificate enrollment operations.
Detection coverage is documented for Cortex XDR and XSIAM; organizations on other platforms should map these behavioral indicators to available SIEM/SOAR detection logic.
Indicators of Compromise (4)
Export as
Splunk SPL
KQL
Elastic
Copy All (4)
3 tools
1 url
Type Value Enrichment Context Conf.
⚙ TOOL
Certify.exe
Certify leveraged during AD CS reconnaissance phase to enumerate misconfigured certificate templates (ESC1) and identify exploitable enrollment permissions within the domain
HIGH
⚙ TOOL
Certipy
Certipy (Python-based) leveraged to request certificates exploiting ESC1 template misconfigurations and perform shadow credential attacks via msDS-KeyCredentialLink attribute writes
HIGH
⚙ TOOL
PKINITtools
PKINITtools leveraged post-certificate-issuance to perform Kerberos PKINIT authentication and obtain TGTs impersonating privileged domain accounts, enabling pass-the-ticket lateral movement
HIGH
🔗 URL
Pending — refer to Unit 42 (https://unit42.paloaltonetworks.com/active-directory-certificate-services-exploitation/) for published indicators
VT
US
Unit 42 May 2026 analysis documents attacker tooling and behavioral patterns across a five-phase exploitation lifecycle; specific hashes, C2 infrastructure, or additional IOC values should be retrieved directly from the source report
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (4)
Known attack tool — NOT a legitimate system binary. Any execution is suspicious.
KQL Query Preview
Read-only — detection query only
// Threat: AD CS Exploitation Persists: ESC1, Shadow Credentials, and Detection Gaps Enable
// Attack tool: Certify.exe
// Context: Certify leveraged during AD CS reconnaissance phase to enumerate misconfigured certificate templates (ESC1) and identify exploitable enrollment permissions within the domain
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "Certify.exe"
or ProcessCommandLine has "Certify.exe"
or InitiatingProcessCommandLine has "Certify.exe"
| project Timestamp, DeviceName, FileName, FolderPath,
ProcessCommandLine, AccountName, AccountDomain,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Known attack tool — NOT a legitimate system binary. Any execution is suspicious.
KQL Query Preview
Read-only — detection query only
// Threat: AD CS Exploitation Persists: ESC1, Shadow Credentials, and Detection Gaps Enable
// Attack tool: Certipy
// Context: Certipy (Python-based) leveraged to request certificates exploiting ESC1 template misconfigurations and perform shadow credential attacks via msDS-KeyCredentialLink attribute writes
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "Certipy"
or ProcessCommandLine has "Certipy"
or InitiatingProcessCommandLine has "Certipy"
| project Timestamp, DeviceName, FileName, FolderPath,
ProcessCommandLine, AccountName, AccountDomain,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Known attack tool — NOT a legitimate system binary. Any execution is suspicious.
KQL Query Preview
Read-only — detection query only
// Threat: AD CS Exploitation Persists: ESC1, Shadow Credentials, and Detection Gaps Enable
// Attack tool: PKINITtools
// Context: PKINITtools leveraged post-certificate-issuance to perform Kerberos PKINIT authentication and obtain TGTs impersonating privileged domain accounts, enabling pass-the-ticket lateral movement
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "PKINITtools"
or ProcessCommandLine has "PKINITtools"
or InitiatingProcessCommandLine has "PKINITtools"
| project Timestamp, DeviceName, FileName, FolderPath,
ProcessCommandLine, AccountName, AccountDomain,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
1 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: AD CS Exploitation Persists: ESC1, Shadow Credentials, and Detection Gaps Enable
let malicious_urls = dynamic(["Pending — refer to Unit 42 (https://unit42.paloaltonetworks.com/active-directory-certificate-services-exploitation/) for published indicators"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (1)
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1134
T1136
T1558
T1078
T1550.001
T1484
+4
AC-2
AC-6
IA-2
IA-5
CM-7
SA-9
+8
5.4
6.8
6.3
6.4
6.5
3.3
+1
164.312(d)
164.308(a)(7)(ii)(A)
RS.MI-01
DE.CM-01
DE.AE-08
MITRE ATT&CK Mapping
T1134
Access Token Manipulation
defense-evasion
T1136
Create Account
persistence
T1558
Steal or Forge Kerberos Tickets
credential-access
T1078
Valid Accounts
defense-evasion
T1550.001
Application Access Token
defense-evasion
T1484
Domain or Tenant Policy Modification
defense-evasion
T1649
Steal or Forge Authentication Certificates
credential-access
T1552.001
Credentials In Files
credential-access
T1195.002
Compromise Software Supply Chain
initial-access
Guidance Disclaimer
