Dangerous ACLs Expose Certificate Containers
Cayosoft Threat Definition CTD-000142
Tune into Guardians of the Directory Podcast.
Stop AD Threats As They Happen
Cayosoft Protector provides continuous monitoring and real-time alerts across your entire Microsoft Identity stack
Like This Article?
Subscribe to our LinkedIn Newsletter to receive more educational content
Risk Summary
Non-default principals with elevated permissions on the NTAuthCertificates container can escalate privileges by adding a malicious Certificate Authority (CA) to the Active Directory trust hierarchy, enabling domain compromise.
- Severity: Critical
- Platform: Active Directory
- Category: Privileged Access Management
- MITRE ATT&CK Tactics: Credential Access
- MITRE D3FEND Tactics: Credential Hardening
Description
Non-default principals with elevated permissions on the NTAuthCertificates container pose a severe security risk. Improper Access Control Lists (ACLs) can allow attackers to insert a rogue CA, enabling the issuance of fraudulent certificates trusted by the domain. This undermines authentication integrity, facilitates credential theft, and can lead to full domain compromise.
Real-World Scenario
An attacker gains access to an account with delegated permissions over the NTAuthCertificates container. Without immediate detection, the attacker uses these rights to add a malicious CA to the environment. This CA issues valid-looking certificates, allowing the attacker to authenticate as privileged users, sign code, or decrypt traffic. The attack remains stealthy, bypassing many standard defenses, until critical systems are compromised. Cayosoft Guardian detects this misconfiguration before the attacker can exploit it, enabling rapid remediation.
Stop Privilege Escalation—Then Undo It with Cayosoft Guardian Audit & Restore
Real-time alerts across AD & Entra ID with one-click rollback.
Detect this and other threats with Cayosoft Guardian Protector (Free of Charge)
1.) Download Cayosoft Guardian Protector for free real-time threat detection and monitoring of your hybrid AD and Microsoft 365 environment. Once downloaded, sign in and navigate to the Threat Detection Dashboard.
2.) View All Alerts and search for CTD-000142 or Dangerous ACLs expose certificate containers.
3.) Open any alert and Click for details (from Raise Threat Alert action).
4.) Evidence:
- NTAuthCertificates object
- Container Distinguished Name with non-default permissions
- Object SID
- Permissions
Remediation Steps
- ) Open the ADSI Edit tool.
- ) Navigate to the Configuration container > Services > Public Key Services.
- ) Select NTAuthCertificates.
- ) Right-click to select Properties.
- ) Select the Security tab.
- ) Remove unexpected permissions.
How to Prevent It
Cayosoft Guardian can proactively detect and alert on Dangerous ACLs expose certificate containers. It continuously monitors Active Directory, Entra ID, Microsoft 365, and Intune for over 200 misconfigurations, providing early warning before attackers can exploit them.
FAQ
Dangerous ACLs Expose Certificate Containers means that non-default or unauthorized principals have elevated permissions on the NTAuthCertificates container in Active Directory.
Improper permissions allow attackers to add a rogue Certificate Authority that becomes trusted by the domain, enabling certificate-based impersonation and potential full domain compromise.
Attackers can insert a malicious CA and issue certificates that allow authentication as privileged users, code signing, or decryption of protected communications without triggering password-based controls.
Cayosoft Guardian continuously evaluates permissions on critical Active Directory objects and identifies deviations from secure default ACL configurations.
Cayosoft Guardian provides early detection, detailed evidence of misconfigured permissions, and guided remediation to prevent attackers from abusing certificate trust relationships.
References
- Microsoft – Configure the NTAuth store
Final Thought
Proactive monitoring and timely remediation of configuration risks is essential to maintaining a secure Active Directory and Microsoft 365 environment. By addressing issues like dangerous ACLs on certificate containers, you reduce attack surfaces and strengthen your organization’s overall security posture.