Certified Pre-Owned

This research brief (and linked whitepaper) analyzes widespread AD CS misconfigurations and weaknesses that enable attackers to obtain or forge certificates to authenticate as arbitrary domain users or machines, escalate privileges, and achieve long-term persistence (including “golden” forged certificates). It documents multiple escalation scenarios (ESC1–ESC8) — e.g., template misconfigurations, enrollment-agent abuse, EDITF/subjectAltName issues, NTLM relay against HTTP enrollment endpoints, and CA private key theft — provides offensive tooling and defensive auditing/remediation guidance, and warns that many enterprise environments are likely vulnerable.