CVE-2022-26923: Certifried — AD Certificate Services Domain Privilege Escalation
How a missing validation check in Active Directory Certificate Services allowed any domain user to request a certificate that impersonates a Domain Controller — and use it to obtain domain admin-level Kerberos access
CVE-2022-26923, named Certifried by discoverer Oliver Lyak, is a privilege escalation vulnerability in Active Directory Certificate Services (AD CS) patched in May 2022. The flaw allows a domain user who can create or modify machine accounts to request a certificate that AD CS incorrectly associates with a Domain Controller, then use that certificate to authenticate to the KDC via Kerberos PKINIT and receive a domain admin-equivalent TGT — a complete Active Directory privilege escalation that requires no special permissions beyond a standard domain account.
Technical Root Cause: dNSHostName Attribute Manipulation
When a user or machine authenticates using a certificate (Kerberos PKINIT), the KDC identifies the account associated with the certificate using the Subject Alternative Name (SAN). The SAN in machine certificates typically contains the DNS host name of the machine (e.g., workstation01.corp.example.com).
AD CS validates that the SAN in a certificate request matches the machine's dNSHostName attribute in Active Directory. The vulnerability: there is no validation preventing a domain user from setting their machine account's dNSHostName to match a Domain Controller's DNS name.
Exploit steps: 1. Attacker creates a machine account (using MachineAccountQuota) or controls an existing one 2. Attacker modifies the dNSHostName attribute of their machine account to `dc01.corp.example.com` (matching the real DC) 3. Attacker requests a certificate from AD CS for their machine account using the Machine/Computer certificate template 4. AD CS issues a certificate with the SAN set to `dc01.corp.example.com` — impersonating the DC 5. Attacker uses the certificate for Kerberos PKINIT authentication 6. The KDC finds the account mapped to `dc01.corp.example.com` — the real Domain Controller — and issues a TGT for that DC account
Why AD CS Makes This Dangerous
Active Directory Certificate Services is a widely deployed PKI solution in enterprise environments, but its integration with Active Directory authentication creates significant attack surface. Certifried is part of a broader class of AD CS attacks (ESC1–ESC13, documented by SpecterOps in 'Certified Pre-Owned') that exploit the trust relationship between certificate enrollment and Kerberos authentication.
The specific risk of Certifried compared to other AD CS attacks: it requires no special certificate template misconfigurations. The default Machine or Computer certificate template — present in nearly every AD CS deployment — is sufficient for the exploit. This makes it applicable to a much wider range of environments than template-specific AD CS attacks.
Create or control a machine account
Using MachineAccountQuota (default allows 10 per domain user), create a new machine account. The attacker controls this account's attributes.
Set dNSHostName to match a Domain Controller
Modify the dNSHostName attribute of the attacker-controlled machine account to match the DNS name of a Domain Controller (e.g., DC01.corp.example.com). This requires write access to the attribute on the attacker's own machine account.
Request certificate from AD CS
Enroll a certificate from the Enterprise CA using the Machine or Computer template, authenticated as the attacker-controlled machine account.
AD CS issues certificate with DC's SAN
AD CS validates the SAN against dNSHostName (which now matches the DC) and issues a certificate with the DC's DNS name in the SAN. The certificate appears to belong to the Domain Controller.
PKINIT authentication yields DC-level TGT
Attacker uses the issued certificate for Kerberos PKINIT authentication. The KDC maps the certificate's SAN to the real DC account and issues a TGT with DC privileges — domain admin equivalent access.
Detection
Detection indicators for Certifried exploitation:
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| Certificate enrollment events where the requested SAN matches a Domain Controller DNS name but the requesting account is not a Domain Controller | AD CS log — Certificate Services event log (Event ID 4886/4887) | Alert when a certificate with a SAN matching any DC's FQDN is issued to a non-DC machine account; implement via CA audit logs or a SIEM rule correlating issued certificates with known DC names |
| Machine account dNSHostName attribute set to a value matching a Domain Controller FQDN | Active Directory attribute change — Event ID 5136 | Directory service changes audit (Event ID 5136) on machine account dNSHostName modifications; baseline expected values for all machine accounts and alert on deviations matching DC naming |
| PKINIT Kerberos authentication (TGT request) using a certificate issued to a non-DC account but mapping to a DC | Windows Security Event Log — Event ID 4768 | Kerberos TGT requests using certificate authentication (Pre-Authentication Type 16 in Event ID 4768) from accounts that do not match the issuing machine account |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
Remediation
Steps in order of priority:
Apply May 2022 Patch Tuesday updates to all Domain Controllers and AD CS servers
The fix adds validation ensuring that the dNSHostName in a certificate request matches the machine account's actual dNSHostName and that the SAN cannot be set to a Domain Controller name by a non-DC account. Apply to all DCs and the server running the Certificate Authority role.
Set MachineAccountQuota to 0
Reducing MachineAccountQuota eliminates the ability for standard users to create machine accounts, removing the primary prerequisite for Certifried (as well as noPac and other machine-account-based attacks). This is a strong defense-in-depth measure independent of patching.
Enable AD CS auditing and monitor certificate issuance
Enable Certificate Services audit logging on all Enterprise CAs: run certutil -setreg CA\AuditFilter 127 and restart the CA service. Forward Certificate Services event logs (specifically 4886, 4887, 4888) to your SIEM for anomaly detection.
Review AD CS certificate templates for over-permissive enrollment
Audit all certificate templates using the Certify tool (SpecterOps) or similar to identify templates that allow SAN specification by the requester (the ESC1 configuration). Restrict enrollment on templates to only the intended accounts.
The bottom line
Certifried is a symptom of a broader architectural risk: Active Directory Certificate Services is deeply trusted by Kerberos, and any misconfiguration or vulnerability in the certificate issuance process translates directly to privilege escalation in Active Directory. The May 2022 patch addresses this specific flaw, but organizations should treat Certifried as a prompt to conduct a full AD CS security audit using the SpecterOps 'Certified Pre-Owned' framework — the attack surface extends well beyond this single CVE.
Frequently asked questions
What is CVE-2022-26923 (Certifried)?
CVE-2022-26923, named Certifried, is a privilege escalation vulnerability in Active Directory Certificate Services. By manipulating the dNSHostName attribute of a machine account, a domain user can obtain a certificate that AD CS issues as if it were for a Domain Controller. Using this certificate with Kerberos PKINIT authentication yields a TGT with domain admin-equivalent privileges.
Is Active Directory Certificate Services required for this vulnerability?
Yes. CVE-2022-26923 requires AD CS to be deployed in the environment with at least one Enterprise CA issuing certificates via the default Machine or Computer certificate template (or a template with similar settings). Environments without AD CS are not directly vulnerable to this specific attack chain.
How does Certifried differ from the PetitPotam/ESC8 AD CS attacks?
PetitPotam and ESC8 are NTLM relay attacks that coerce a DC to authenticate and relay that authentication to AD CS. Certifried (CVE-2022-26923) is a direct certificate request attack — no relay required. The attacker requests a certificate using their own credentials but manipulates the certificate attributes to impersonate a DC.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.