Active Directory Certificate Services Monitoring & Blocking

What is a one sentence summary of your feature request?

Add the ability to monitor and/or block changes and usage of certificates within Active Directory to help detect and prevent ADCS abuse.

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

ADCS is a hot topic in the Active Directory security space today and a lot of research has been done on how certificates and certificate templates can be abused to create persistence or lead to privilege escalation. Monitoring the use of certificates, the modifications of their permissions, and configurations will help organizations understand potential threats occurring in the environment or changes that have left them vulnerable. Allowing for blocking changes to templates or use of certificates could help organizations limit the attack landscape entirely.

How do you currently solve the challenges you have by not having this feature?

Currently, tools exist to detect the current configurations of certificate templates and help in the remediation process of closing some of the gaps, but there are not many tools for monitoring or blocking activity with them.

ADCS has definitely been creating some buzz and is an area we know it’d be great to expand our monitoring and blocking capabilities into. PingCastle and Netwrix Access Analyzer currently have some reporting capabilities around ADCS configurations. Marking this as under review, we’ll have the development team do some research in regards to hooking ADCS processes and capturing activity events.