SC-033: ADCS Golden Certificate Attack — Operation Gilt Seal¶
Scenario Header
Type: Identity / Active Directory | Difficulty: ★★★★★ | Duration: 4–5 hours | Participants: 4–8
Threat Actor: GOLDEN CIPHER — nation-state espionage group targeting defense sector via Active Directory Certificate Services abuse
Primary ATT&CK Techniques: T1649 · T1558.001 · T1078.002 · T1484.001 · T1556.005 · T1003.006
Facilitator Note
This scenario simulates an advanced Active Directory Certificate Services (AD CS) attack chain — from ESC1 template abuse through golden certificate persistence. Participants should include AD administrators, PKI engineers, SOC analysts, and incident responders. The scenario highlights how misconfigured certificate templates enable complete domain compromise that survives password resets, ticket rotations, and even krbtgt resets. All data is synthetic. All organizations, IPs, and indicators are fictional.
Threat Actor Profile¶
GOLDEN CIPHER is a nation-state espionage group active since 2023, specializing in Active Directory infrastructure attacks against defense contractors, aerospace firms, and government suppliers. Unlike ransomware-focused groups, GOLDEN CIPHER operates with extreme patience — average dwell time exceeds 180 days — and prioritizes persistent, undetectable access to classified and controlled unclassified information (CUI).
The group demonstrates advanced understanding of Microsoft PKI infrastructure, Active Directory Certificate Services, and Kerberos authentication internals. Their signature tradecraft involves exploiting misconfigured AD CS certificate templates (ESC1–ESC8 vulnerabilities) to forge authentication certificates that bypass traditional credential-based detection. Once they obtain a CA certificate and private key, they create golden certificates — forged certificates that authenticate as any domain user, including domain admins, indefinitely.
Motivation: Espionage — exfiltration of defense program documentation, weapons system specifications, supply chain intelligence, and personnel security clearance data. Secondary objective: establish persistent access for long-term intelligence collection across the defense industrial base (DIB).
Scenario Narrative¶
Scenario Context
Pinnacle Defense Contractors is a mid-tier defense contractor with 2,400 employees across 5 facilities, holding contracts for advanced radar systems and electronic warfare platforms. Their IT environment runs a single Active Directory forest (pinnacle-defense.example.com) with 3 domains. The PKI infrastructure consists of a 2-tier CA hierarchy: an offline root CA and an online enterprise subordinate CA (PINNACLE-SUB-CA) running Windows Server 2022 on 192.0.2.10. AD CS was deployed 4 years ago by a system integrator who used default certificate templates with minimal hardening. The environment contains 47 certificate templates, of which 12 have never been audited. The security team (6 FTEs) monitors endpoints via CrowdStrike and network via Zeek/Suricata, but has no dedicated PKI monitoring or certificate issuance alerting. Pinnacle passed their last CMMC Level 2 assessment 8 months ago.
Phase 1 — Initial Access and Reconnaissance (~40 min)¶
GOLDEN CIPHER gains initial access through a spear-phishing email targeting a project engineer (jthompson@pinnacle-defense.example.com) working on the AEGIS radar program. The email impersonates a subcontractor and contains a malicious OneNote attachment that drops a Cobalt Strike beacon via DLL sideloading. The beacon establishes C2 communications to 198.51.100.44 over HTTPS port 443, blending with legitimate outbound traffic.
From the compromised workstation (WKST-ENG-047, 10.10.5.47), GOLDEN CIPHER conducts internal reconnaissance focused on AD CS infrastructure. They use Certify.exe (renamed to msdiag.exe) to enumerate certificate templates, CA servers, and enrollment permissions.
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| Email Gateway Log | From: procurement@apex-subsystems.example.com — To: jthompson@pinnacle-defense.example.com — Subject: "AEGIS Phase 3 — Updated SOW" — Attachment: AEGIS_SOW_v3.one — 2026-03-01T08:42:17Z |
| EDR Alert | Host: WKST-ENG-047 (10.10.5.47) — Process: rundll32.exe loading msoxmled.dll from C:\Users\jthompson\AppData\Local\Temp\ — Unsigned DLL — C2 callback to 198.51.100.44:443 — 2026-03-01T08:43:55Z |
| DNS Log | WKST-ENG-047 → DNS query for update-service.example.com (resolves to 198.51.100.44) — 47 queries over 6 hours — beacon interval pattern: 60±15s jitter |
| Certify Enumeration Output | msdiag.exe find /vulnerable executed at 2026-03-01T14:22:08Z — Discovered 4 vulnerable templates — Process parent: rundll32.exe (beacon) |
| Windows Security Event 4688 | New process: C:\Windows\Temp\msdiag.exe — Creator: PINNACLE\jthompson — CommandLine: msdiag.exe find /vulnerable — Host: WKST-ENG-047 |
Phase 1 — Discussion Inject
Technical: The attacker renamed Certify.exe to msdiag.exe to evade filename-based detection. What detection strategies would catch this regardless of filename? Consider: YARA rules on binary signatures, command-line argument patterns (find /vulnerable), LDAP queries to CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration, and process lineage analysis.
Decision: EDR flagged the unsigned DLL sideload but the alert was classified as "Medium" severity and queued for next-business-day review. The SOC is understaffed (2 analysts covering 24/7). Do you (A) implement automated containment for unsigned DLL sideloading from temp directories, risking false positives on legitimate software, or (B) maintain manual triage with SLA targets? What is the detection-vs-disruption trade-off?
Expected Analyst Actions: - [ ] Investigate EDR alert for unsigned DLL sideloading on WKST-ENG-047 - [ ] Correlate DNS beacon pattern to 198.51.100.44 — check threat intel feeds - [ ] Identify msdiag.exe as Certify.exe through binary hash or YARA match - [ ] Review LDAP queries from jthompson targeting certificate template objects - [ ] Assess scope of compromised account permissions in AD CS
Phase 2 — Certificate Template Enumeration and ESC1 Exploitation (~50 min)¶
GOLDEN CIPHER's Certify enumeration reveals a critically misconfigured certificate template: PinnacleUserAuth. This template exhibits the ESC1 vulnerability — it allows enrollees to specify a Subject Alternative Name (SAN) in the certificate request, enabling any authenticated user to request a certificate for any other user, including domain administrators.
Vulnerable Template Configuration:
Template Name: PinnacleUserAuth
Schema Version: 2
Validity Period: 1 year
Renewal Period: 6 weeks
Enrollment Permissions: PINNACLE\Domain Users (Allow Enroll)
PINNACLE\Domain Computers (Allow Enroll)
msPKI-Certificate-Name-Flag: ENROLLEE_SUPPLIES_SUBJECT (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT)
pKIExtendedKeyUsage: Client Authentication (1.3.6.1.5.5.7.3.2)
msPKI-RA-Signature: 0 (no authorized signature required)
The attacker uses Certify to request a certificate from the PinnacleUserAuth template, specifying the SAN as administrator@pinnacle-defense.example.com — the domain administrator account.
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| Windows Event ID 4886 | Certificate Services received a certificate request — Requester: PINNACLE\jthompson — Template: PinnacleUserAuth — CA: PINNACLE-SUB-CA (192.0.2.10) — 2026-03-01T15:08:33Z |
| Windows Event ID 4887 | Certificate Services approved and issued certificate — Subject: CN=jthompson — SAN: administrator@pinnacle-defense.example.com — Template: PinnacleUserAuth — Serial: 6100000004B3E8C7A2D1 — 2026-03-01T15:08:34Z |
| LDAP Query Log | Source: 10.10.5.47 (WKST-ENG-047) — Query: (objectClass=pKICertificateTemplate) — Base DN: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=pinnacle-defense,DC=example,DC=com — 2026-03-01T14:22:09Z |
| CA Audit Log | Request ID: 4,847 — Requester: PINNACLE\jthompson — Template: PinnacleUserAuth — SAN: administrator@pinnacle-defense.example.com — Disposition: Issued — 2026-03-01T15:08:34Z |
| Network (Zeek) | 10.10.5.47 → 192.0.2.10:445 — SMB connection — Certificate enrollment via RPC — 2026-03-01T15:08:32Z |
Phase 2 — Discussion Inject
Technical: The ESC1 vulnerability is the most common AD CS misconfiguration. The critical flag is ENROLLEE_SUPPLIES_SUBJECT combined with Client Authentication EKU and broad enrollment permissions. How would you audit all 47 certificate templates for ESC1–ESC8 vulnerabilities? What tool would you use, and what remediation would you implement for each finding?
Decision: You discover that PinnacleUserAuth has been in use for 4 years — 2,300 certificates have been issued from this template for legitimate VPN and smart card authentication. Immediately disabling the template will break VPN access for 800+ remote workers. Do you (A) disable immediately and force VPN outage, (B) create a hardened replacement template and migrate users over 48 hours, or (C) add enrollment restrictions to limit to a security group while you plan migration? Consider the active threat actor.
Expected Analyst Actions: - [ ] Audit all certificate templates using Certify.exe find or PSPKIAudit - [ ] Flag templates with ENROLLEE_SUPPLIES_SUBJECT + Client Authentication EKU - [ ] Review Event IDs 4886/4887 for SAN mismatches (requester != SAN identity) - [ ] Identify all certificates issued from PinnacleUserAuth with SAN != requester - [ ] Revoke the fraudulently issued administrator certificate (Serial: 6100000004B3E8C7A2D1)
Phase 3 — Domain Admin Escalation (~40 min)¶
Using the fraudulently obtained certificate, GOLDEN CIPHER authenticates as the domain administrator via Kerberos PKINIT (certificate-based Kerberos authentication). They use Rubeus to request a TGT using the forged certificate, successfully impersonating administrator@pinnacle-defense.example.com.
With domain admin privileges, the attacker performs systematic internal reconnaissance: enumerating domain trusts, Group Policy Objects, sensitive security groups, and high-value file shares. They identify a file server (FILE-CLASSIFIED, 10.10.2.15) hosting CUI and export-controlled technical data for the AEGIS radar program.
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| Windows Event ID 4768 | Kerberos TGT requested — Account: administrator@pinnacle-defense.example.com — Certificate Serial: 6100000004B3E8C7A2D1 — Source IP: 10.10.5.47 — Pre-Auth Type: 16 (PKINIT) — 2026-03-01T15:12:47Z |
| Windows Event ID 4624 | Logon — Account: PINNACLE\administrator — Logon Type: 3 (Network) — Source: 10.10.5.47 — Auth Package: Kerberos — 2026-03-01T15:12:48Z |
| Windows Event ID 4672 | Special privileges assigned — Account: PINNACLE\administrator — Privileges: SeDebugPrivilege, SeTakeOwnershipPrivilege, SeBackupPrivilege — Source: 10.10.5.47 — 2026-03-01T15:12:48Z |
| LDAP Query Log | Source: 10.10.5.47 — Queries: (memberOf=CN=Domain Admins,*), (objectClass=trustedDomain), (objectClass=groupPolicyContainer) — Account: administrator — 127 LDAP queries in 8 minutes |
| SMB Access Log | 10.10.5.47 → 10.10.2.15 (FILE-CLASSIFIED) — Share: \\FILE-CLASSIFIED\AEGIS-Program — Account: administrator — 342 files accessed — 2026-03-01T15:28:00Z–16:45:00Z |
SecurityEvent
| where EventID == 4768
| where PreAuthType == "16" // PKINIT
| extend SourceHost = extract("IpAddress:\\s*(\\S+)", 1, EventData)
| join kind=leftanti (
DeviceInventory
| where HasSmartCardReader == true
| project DeviceIP
) on $left.SourceHost == $right.DeviceIP
| project TimeGenerated, Account, SourceHost, CertificateSerialNumber
| sort by TimeGenerated desc
Event
| where Source == "Microsoft-Windows-CertificationAuthority"
| where EventID == 4887
| extend Requester = extract("Requester:\\s*(.+?)\\s", 1, RenderedDescription)
| extend SAN = extract("Subject Alternative Name.*?=(.+?)\\s", 1, RenderedDescription)
| where Requester !contains extract("(.+?)@", 1, SAN)
| project TimeGenerated, Requester, SAN, CertificateTemplate, SerialNumber
Phase 3 — Discussion Inject
Technical: The 4768 event shows Pre-Auth Type 16 (PKINIT) from a workstation (WKST-ENG-047) that has no smart card reader. This is a strong anomaly signal. How would you build a detection rule that correlates PKINIT authentication events with hardware inventory to flag certificate-based auth from non-smart-card endpoints?
Decision: You have confirmed domain admin compromise via forged certificate. The attacker has been active for approximately 7 hours. Do you (A) immediately reset the administrator account password and revoke the certificate — alerting the attacker that you are aware, or (B) continue monitoring to understand full scope before taking containment action — risking further data exfiltration? What factors drive your decision?
Expected Analyst Actions: - [ ] Correlate Event 4768 (PKINIT) with source IP — verify smart card capability - [ ] Identify anomalous domain admin logon from engineering workstation - [ ] Review SMB access logs for sensitive file share access from unexpected sources - [ ] Revoke the forged certificate via CA management console - [ ] Reset domain admin credentials and force Kerberos ticket invalidation
Phase 4 — Golden Certificate Persistence (~50 min)¶
Having achieved domain admin access, GOLDEN CIPHER now targets the ultimate persistence mechanism: the CA server's private key. With domain admin privileges, the attacker accesses PINNACLE-SUB-CA (192.0.2.10) via RDP and exports the CA certificate and private key using certutil.
With the CA private key, the attacker can forge certificates for any user or computer in the domain — indefinitely. This is the "golden certificate" attack. Unlike golden tickets (which are invalidated by double-resetting the krbtgt account), golden certificates persist until the entire CA is rebuilt — the CA certificate and private key cannot be simply "rotated."
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| Windows Event ID 4624 | RDP Logon — Account: PINNACLE\administrator — Logon Type: 10 (RemoteInteractive) — Source: 10.10.5.47 — Target: 192.0.2.10 (PINNACLE-SUB-CA) — 2026-03-01T17:02:14Z |
| Windows Event ID 4688 | Process: certutil.exe — CommandLine: certutil -exportPFX -p "REDACTED" my PINNACLE-SUB-CA C:\Windows\Temp\backup.pfx — User: PINNACLE\administrator — Host: 192.0.2.10 — 2026-03-01T17:08:33Z |
| Windows Event ID 4688 | Process: certutil.exe — CommandLine: certutil -backupKey C:\Windows\Temp\cakeys — User: PINNACLE\administrator — Host: 192.0.2.10 — 2026-03-01T17:09:01Z |
| File Access Audit | C:\Windows\Temp\backup.pfx created — Size: 4,096 bytes — 2026-03-01T17:08:34Z |
| SMB Transfer | 192.0.2.10 → 10.10.5.47 — File: backup.pfx — 2026-03-01T17:11:22Z |
| C2 Exfiltration | 10.10.5.47 → 198.51.100.44:443 — HTTPS POST — 4,096 bytes — 2026-03-01T17:15:03Z |
SecurityEvent
| where Computer contains "CA" or Computer contains "Certificate"
| where EventID == 4688
| where CommandLine has_any ("certutil", "-exportPFX", "-backupKey", "-backup", ".pfx")
| project TimeGenerated, Computer, Account, CommandLine, ParentProcessName
| sort by TimeGenerated desc
SecurityEvent
| where EventID == 4624
| where LogonType == 10 // RemoteInteractive (RDP)
| where Computer in ("PINNACLE-SUB-CA", "PINNACLE-ROOT-CA")
| project TimeGenerated, Account, SourceIP = IpAddress, Computer
| join kind=leftanti (
SecurityEvent
| where EventID == 4624 and LogonType == 10
| where Computer in ("PINNACLE-SUB-CA", "PINNACLE-ROOT-CA")
| where TimeGenerated between (ago(90d) .. ago(1d))
| distinct Account
) on Account
| sort by TimeGenerated desc
Phase 4 — Discussion Inject
Technical: The CA private key has been exfiltrated. This is the most severe form of AD persistence — golden certificates. Unlike golden tickets (mitigated by double krbtgt reset), golden certificates require rebuilding the entire CA hierarchy. What is the full remediation procedure? Consider: new root CA, new subordinate CA, re-issuance of all certificates (user, computer, service), OCSP/CRL updates, and trust anchor replacement across all domain-joined systems.
Decision: Full CA rebuild will take 2–4 weeks and will disrupt every certificate-dependent service: VPN, WiFi (EAP-TLS), smart cards, LDAPS, code signing, and encrypted email. Pinnacle has active defense contracts with SLA obligations. Do you (A) begin immediate CA rebuild accepting the disruption, (B) stand up a parallel CA infrastructure and migrate services gradually, or (C) revoke the compromised CA certificate and issue an emergency interim CA while building the permanent replacement? Each option has cost, time, and risk trade-offs.
Expected Analyst Actions: - [ ] Detect certutil execution on CA server — flag -exportPFX and -backupKey commands - [ ] Review RDP sessions to CA servers — identify unauthorized administrative access - [ ] Isolate the CA server from the network immediately - [ ] Assess all certificates issued after compromise — assume all are potentially forged - [ ] Begin CA rebuild planning — engage Microsoft PKI support - [ ] Notify DCSA (Defense Counterintelligence and Security Agency) per DFARS requirements
Phase 5 — Long-Term Persistence and Exfiltration (~30 min)¶
Before the security team detects the breach, GOLDEN CIPHER uses the exfiltrated CA private key to forge certificates for 3 service accounts with minimal monitoring: svc-backup, svc-sql-aegis, and svc-wsus. These forged certificates provide redundant persistent access that will survive password resets, account lockouts, and even krbtgt rotation. The attacker also creates a scheduled task on WKST-ENG-047 that executes a Cobalt Strike beacon via a forged code signing certificate, bypassing application whitelisting.
Over the next 14 days, GOLDEN CIPHER exfiltrates 2.3 GB of classified program data from the AEGIS file share, transmitting data in 50–100 KB increments over the HTTPS C2 channel to 198.51.100.44. The exfiltration occurs during business hours to blend with normal traffic patterns.
Evidence Artifacts:
| Artifact | Detail |
|---|---|
| Certificate Issuance (Forged) | SAN: svc-backup@pinnacle-defense.example.com — Issued by: PINNACLE-SUB-CA — Not by CA server (forged offline) — Serial: FORGED00000001 — 2026-03-02T02:14:00Z |
| Certificate Issuance (Forged) | SAN: svc-sql-aegis@pinnacle-defense.example.com — Issued by: PINNACLE-SUB-CA — Serial: FORGED00000002 — 2026-03-02T02:14:33Z |
| Certificate Issuance (Forged) | SAN: svc-wsus@pinnacle-defense.example.com — Issued by: PINNACLE-SUB-CA — Serial: FORGED00000003 — 2026-03-02T02:15:01Z |
| Scheduled Task | Host: WKST-ENG-047 — Task: \Microsoft\Windows\Maintenance\DiagCheck — Action: rundll32.exe C:\Windows\System32\diagperf.dll,EntryPoint — Trigger: Daily 08:00 — 2026-03-02T03:30:00Z |
| Network (Zeek) | 10.10.5.47 → 198.51.100.44:443 — 2.3 GB total over 14 days — Average session: 50–100 KB — Business hours only (08:00–17:00 EST) — 847 sessions |
| DLP Alert (Not Configured) | No DLP rules for CUI/ITAR-controlled data — No egress content inspection — Alert: N/A |
Phase 5 — Discussion Inject
Technical: Forged certificates do not appear in the CA's issued certificate database — they are created offline using the stolen CA key. How would you detect authentication using certificates that are not in the CA's issuance log? Consider: correlating 4768 (PKINIT) events with the CA's certificate database, deploying certificate transparency logging for internal CAs, and implementing OCSP stapling with strict validation.
Decision: The exfiltrated data likely includes ITAR-controlled technical data for the AEGIS radar system. Under DFARS 252.204-7012, Pinnacle must report the cyber incident to DCSA within 72 hours of discovery. The breach also triggers ITAR violation reporting to DDTC. Legal counsel advises that premature notification without full scope assessment could trigger contract termination. How do you balance regulatory compliance with business continuity?
Expected Analyst Actions: - [ ] Cross-reference all PKINIT authentication events with CA-issued certificate database - [ ] Identify certificates used for authentication that do not exist in CA records (forged) - [ ] Hunt for scheduled tasks created during the compromise window - [ ] Implement network-level blocking of C2 IP 198.51.100.44 - [ ] Preserve forensic images of WKST-ENG-047 and PINNACLE-SUB-CA - [ ] Initiate DFARS incident reporting procedures
Detection & Response¶
Key Detection Opportunities¶
| Detection Point | Event / Data Source | Query Logic |
|---|---|---|
| Certificate request with SAN mismatch | Event ID 4886, 4887 | Requester identity != SAN identity |
| PKINIT from non-smart-card host | Event ID 4768 (PreAuth=16) | Correlate with hardware inventory |
| Certutil on CA server | Event ID 4688 | CommandLine contains -exportPFX, -backupKey |
| RDP to CA server | Event ID 4624 (Type 10) | Source not in authorized admin list |
| Certificate not in CA database | PKINIT events vs CA issuance log | Authentication cert serial not in CA database |
| LDAP template enumeration | LDAP query logs | Queries to CN=Certificate Templates from non-admin hosts |
// Detect certificate requests where requester != SAN identity (ESC1 exploitation)
SecurityEvent
| where EventID in (4886, 4887)
| extend Requester = extract(@"Requester:\s*(\S+)", 1, EventData)
| extend SAN = extract(@"Subject Alternative Name.*?=(\S+@\S+)", 1, EventData)
| extend Template = extract(@"Certificate Template:\s*(.+?)(\s|$)", 1, EventData)
| where isnotempty(SAN)
| where Requester !has extract(@"(.+?)@", 1, SAN)
| project TimeGenerated, Requester, SAN, Template, Computer
| sort by TimeGenerated desc
Immediate Containment (0–4 hours)¶
- [ ] Revoke the compromised administrator certificate (Serial:
6100000004B3E8C7A2D1) - [ ] Isolate
WKST-ENG-047andPINNACLE-SUB-CAfrom the network - [ ] Block C2 IP
198.51.100.44at perimeter firewall and proxy - [ ] Reset
administrator,svc-backup,svc-sql-aegis,svc-wsuspasswords - [ ] Disable the
PinnacleUserAuthcertificate template immediately - [ ] Force Kerberos ticket invalidation via double
krbtgtreset (12-hour interval) - [ ] Revoke CA certificate via root CA CRL
Short-Term Actions (24–72 hours)¶
- [ ] Forensic imaging of compromised hosts and CA server
- [ ] Audit all 47 certificate templates for ESC1–ESC8 vulnerabilities
- [ ] Review all certificates issued in the past 30 days for SAN anomalies
- [ ] Deploy monitoring for Event IDs 4886, 4887, 4768 with SAN mismatch alerting
- [ ] Implement
certutil.exeexecution alerting on all CA servers - [ ] Initiate DFARS 252.204-7012 incident reporting to DCSA
Long-Term Actions (1–12 weeks)¶
- [ ] Rebuild CA hierarchy — new root CA, new subordinate CA, new key pairs
- [ ] Re-issue all user, computer, and service certificates from new CA
- [ ] Harden all certificate templates: remove
ENROLLEE_SUPPLIES_SUBJECT, require manager approval, restrict enrollment permissions to specific security groups - [ ] Deploy AD CS monitoring: PSPKIAudit scheduled scans, Event ID 4886/4887 SIEM correlation
- [ ] Implement PKINIT anomaly detection correlated with hardware inventory
- [ ] Restrict CA server access: PAW-only RDP, tiered admin model, disable remote
certutil - [ ] Deploy certificate transparency logging for internal CA infrastructure
- [ ] Conduct CMMC reassessment focusing on PKI controls
Lessons Learned¶
What Went Wrong¶
| Gap | Detail | Remediation |
|---|---|---|
| ESC1 vulnerable template deployed for 4 years | PinnacleUserAuth allowed any domain user to request certs with arbitrary SANs | Audit all templates with PSPKIAudit; remove ENROLLEE_SUPPLIES_SUBJECT flag; require manager approval |
| No certificate issuance monitoring | 4,847 certificates issued without SAN validation alerting | Deploy SIEM rules for Event IDs 4886/4887 with SAN mismatch detection |
| No CA server access controls | Domain admins could RDP directly to CA server | Implement PAW-only access, tiered admin model, just-in-time CA admin privileges |
| No certutil execution monitoring | CA private key exported without detection | Alert on certutil execution with -exportPFX, -backupKey, or -backup arguments |
| EDR alert under-triaged | Initial beacon alert classified Medium and queued for next-day review | Implement automated containment for unsigned DLL sideloading from temp directories |
| No DLP for CUI/ITAR data | 2.3 GB of controlled data exfiltrated without content inspection | Deploy DLP with CUI/ITAR classification; implement egress content inspection |
| CMMC assessment did not cover PKI | PKI infrastructure not assessed for AD CS-specific vulnerabilities | Include AD CS security review in all CMMC/NIST assessments |
What Went Right¶
| Control | Impact |
|---|---|
| Windows audit logging (4886, 4887, 4768) | Events were logged — enabled forensic reconstruction of the full attack chain |
| Zeek network monitoring | Captured C2 beacon pattern and data exfiltration volume |
| File access auditing on classified shares | Provided complete inventory of accessed/exfiltrated files |
| EDR detection of initial DLL sideload | Alert was generated (even though triage was delayed) |
ATT&CK Navigator Mapping¶
| Technique ID | Technique Name | Phase |
|---|---|---|
| T1566.001 | Phishing: Spearphishing Attachment | Initial Access |
| T1574.002 | Hijack Execution Flow: DLL Side-Loading | Execution |
| T1649 | Steal or Forge Authentication Certificates | Credential Access |
| T1558.001 | Steal or Forge Kerberos Tickets: Golden Ticket | Credential Access |
| T1078.002 | Valid Accounts: Domain Accounts | Privilege Escalation |
| T1484.001 | Domain Policy Modification: Group Policy Modification | Defense Evasion |
| T1003.006 | OS Credential Dumping: DCSync | Credential Access |
| T1556.005 | Modify Authentication Process: Reversible Encryption | Persistence |
| T1021.001 | Remote Services: Remote Desktop Protocol | Lateral Movement |
| T1005 | Data from Local System | Collection |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
Related Chapters¶
- Chapter 16 — Public Key Infrastructure — Certificate authorities, certificate lifecycle, PKI architecture
- Chapter 17 — Identity and Access Management — Kerberos authentication, PKINIT, credential management
- Chapter 45 — Active Directory Red Teaming — AD CS attacks, ESC1–ESC8, golden certificate techniques
Scenario Debrief
Operation Gilt Seal demonstrates that Active Directory Certificate Services represents one of the most dangerous and under-monitored attack surfaces in enterprise environments. A single misconfigured certificate template — deployed by a system integrator 4 years ago and never audited — enabled complete domain compromise and persistent access that survives every conventional remediation action except full CA rebuild. The golden certificate attack is uniquely devastating because the CA private key cannot be "rotated" like a password or krbtgt hash — remediation requires rebuilding the entire PKI hierarchy and re-issuing every certificate in the environment. Defense requires proactive AD CS auditing (PSPKIAudit, Certify), continuous monitoring of certificate issuance events (4886/4887), PKINIT anomaly detection, and strict access controls on CA servers. Every organization running AD CS should assume their templates are vulnerable until proven otherwise.