CVE-2022-26923

What is Active Directory Certificate Services (AD CS)?

Active Directory Certificate Services (AD CS) is Microsoft's public key infrastructure (PKI) component, used to issue and manage digital certificates for users, computers, and services in Windows domains. AD CS is widely deployed but historically under-scrutinized from a security perspective. Certificates issued by AD CS are trusted by all domain members and can be used for authentication, including to impersonate any domain account. Security researchers at SpecterOps popularized AD CS attack research in 2021 ("Certified Pre-Owned"), and CVE-2022-26923 (Certifried) is a direct follow-on in that research line.

Overview

CVE-2022-26923, nicknamed Certifried, is a privilege escalation vulnerability in Microsoft Active Directory Domain Services. An authenticated domain user can manipulate attributes of a computer account they control — specifically the dNSHostName attribute — to match a domain controller, then request a certificate from AD CS that impersonates the domain controller. Using that certificate, the attacker can authenticate as the domain controller machine account and perform a DCSync attack to dump all domain credentials, achieving full domain compromise.

The vulnerability was discovered and publicly named by Oliver Lyak from Secura.

Affected Versions

The vulnerability requires AD CS to be deployed in the domain. Domains without AD CS are not affected.

Technical Details

The core issue (CWE-295: improper certificate validation) is that AD CS's certificate templates for machine accounts trust the dNSHostName attribute as an identifier. A low-privilege domain user who can create or modify a machine account (e.g., via the default ms-DS-MachineAccountQuota of 10) can:

1. Create a new machine account
2. Set its dNSHostName attribute to match a domain controller (e.g., DC01.corp.local)
3. Request a certificate using the default "Machine" or "DomainController" template
4. Receive a valid certificate identifying the account as the domain controller
5. Use that certificate to authenticate to the KDC via PKINIT, obtaining a Kerberos TGT as the DC machine account
6. Perform DCSync using the DC machine account's replication privileges to dump all NTLM hashes and Kerberos keys in the domain

• Prerequisites: Low-privilege domain account + AD CS deployed + machine account creation rights (default in most AD configurations)
• Attack complexity: Low — well-tooled attack chain; Oliver Lyak released certifried.py for Impacket
• Impact: Full Active Directory domain compromise via credential dumping

Discovery

Discovered by Oliver Lyak (ly4k) from Secura, published alongside the May 2022 Patch Tuesday. Lyak wrote detailed research and released proof-of-concept tooling.

Exploitation Context

CISA added this to KEV in August 2022, three months after patching, reflecting confirmed in-the-wild exploitation. The attack is attractive because it requires only a standard domain user account and the presence of AD CS — conditions met in the vast majority of enterprise Windows environments. The technique became well-known in the offensive security community and is incorporated into multiple post-exploitation frameworks.

Remediation

1. Apply the May 2022 Patch Tuesday cumulative update to all domain controllers and AD CS servers
2. After patching, run certutil -v -template to verify that machine certificate templates enforce proper dNSHostName binding
3. Review who has Create Computer Objects rights in AD and reduce ms-DS-MachineAccountQuota to 0 where possible
4. Enable AD CS auditing to detect unusual certificate requests (Event ID 4887 on the CA)
5. Use the certmgr snap-in or certutil to audit certificates issued to machine accounts for anomalous dNSHostName values matching domain controllers