Certiception: A honeypot for Active Directory Certificate Services (ADCS)
Certiception
Certiception is a honeypot for Active Directory Certificate Services (ADCS), designed to trap attackers with a realistic and attractive bait that triggers highly relevant alerts.
Developed by the SRLabs Red Team, Certiception creates a vulnerable-looking certificate template in your ADCS environment, sets up restrictions to prevent exploitation, and supports setting up effective alerting.
Background
In our Red Team and Incident Management engagements we regularly observe that lateral movement and privilege escalation go undetected. If detections trigger at all, they are not reacted to in a timely manner, because false positives are commonplace. We believe internal honeypots (aka. canaries, aka. deception tech) are an effective way for defenders to catch threats that make it through initial defenses.
Internal honeypots are intentional traps for attackers placed in your network. They look vulnerable but trigger an alert on exploitation. Here’s why we think deception has great potential:
- Low effort and cost: Setup can rely on existing tools such as a SIEM.
- High relevance alerts: A triggered honeypot hints at a significant threat, so the alerts are worth investigating.
- Low noise: Designed to trigger only on malicious activity, internal honeypots have a low false positive rate.
Despite their potential, we regularly encounter fundamentally ineffective deception setups. To help defenders create more effective honeypots, Certiception comes with an extensive deception strategy guide.
Active Directory Certificate Services (ADCS) is an ideal location for a honeypot:
- Easy Access: Accessible by all domain users, ADCS is easy for attackers to discover.
- High Stakes: Vulnerabilities can lead to full domain compromise, making exploitation highly attractive.
- Common Knowledge: Vulnerabilities and exploitation tools are widely known.
- Authenticity: Vulnerable ADCS templates are commonplace, raising little contempt.
- Under-Monitored: Many networks barely monitor ADCS, encouraging even cautious attackers to dare exploitation.
This is why we built Certiception.
This is how Certiception works:
Alerting
Certiception uses built-in Windows events from the CA and events generated by the TameMyCerts policy module. To get the built-in CA events with the required information, Certiception enables the extended audit log on the honey CA server.
We suggest alerting on critical and medium events:
| Event source | Event ID | Alert |
|---|---|---|
| TameMyCerts | 6 – CSR denied due to policy violation | CRITICAL – attempted exploitation via SAN |
| Windows Security Log | 4886 – Certificate enrollment requested | MEDIUM – Honey template was used |
| Windows Security Log | 4887 – Certificate issued | Not used, 4886 has more coverage |
| Windows Security Log | 4888 – Certificate request denied | Not used, TameMyCerts 6 is more precise when issuance fails non-malicious |
Certiception outputs ready-to-use SIGMA rules for the two different alerts. You only need to ensure the respective event IDs are onboarded into your SIEM and then setup alerting with the SIGMA rules.
