Detections
Analytics

Mapped Certificates on Accounts

critical

Language:

Description

Microsoft provides a feature called security identity mapping, which attaches a certificate to an account or a group. This can serve as alternate credentials for authentication on resources in certain scenarios.
However, having a certificate set on a privileged account can be dangerous in case the associated certificate is not protected as well as this sensitive account. It can also indicate a persistence mechanism that an attacker may have previously set.

Solution

Whenever there is an alternate security identity set on a privileged Active Directory account, you should evaluate it to decide whether or not to accept the risk of elevation of privileges. When in doubt, you can safely remove it.
Note: This feature does not relate to the use of smart cards, which remains a strong security option for authentication with proper configuration.

See Also

Mapping a client certificate to an AD domain account using clientCertificateMappingAuthentication

Map a certificate to a user account

Mapping certificates to user accounts

Indicator Details

Name: Mapped Certificates on Accounts

Codename: C-SENSITIVE-CERTIFICATES-ON-USER

Severity: Critical

MITRE ATT&CK Information:

Tactics: TA0003

Techniques: T1098

Attacker Known Tools

Gentil Kiwi: Kekeo