Introduction
During one pentest engagement, we showed how an attacker could use a single attack vector to take complete control of Active Directory. No zero-day exploits were used. No missing patches were exploited. Instead, the compromise relied exclusively on misconfigurations and day-to-day user behavior.
It began with one employee connecting to a malicious Wi-Fi network and ended in full Domain Admin control, complete access to any system, any data, and any account in the organization.
This case study dissects the attack, step by step, with a clear and concise explanation of how each phase works, and highlights what organizations can do to prevent a similar outcome.
Initial Access: Evil Twin Wi-Fi Attack
Neither did it come through phishing emails, and it wasn't malware. The entry happened outside of the building itself.
The red team deployed a rogue Wi-Fi access point broadcasting the company's enterprise Wi-Fi network name. This is a rather classic technique, better known as an evil twin attack. To an employee device, this fake network appeared indistinguishable from the real one.
Because many corporate laptops were not configured to strictly validate the Wi-Fi authentication certificate, some automatically connected. When prompted to authenticate, the user typed in their normal domain credentials, not thinking anything was wrong.
It captured the WPA2-Enterprise authentication data from the rogue access point. While that is not in plaintext, it is vulnerable to cracking offline. The red team used a standard password cracker to recover the employee's true domain password.
At this point, the attacker had valid credentials internally and could connect to the real corporate Wi-Fi, access VPN services, and interact with internal systems as would any other employee.
That single mistake provided the initial foothold.
Internal Reconnaissance and a Critical Discovery
Once inside the network, the next step was enumeration.
The aim was quite straightforward: find a path from a normal user to higher privileges.
One of the first services that was reviewed was Active Directory Certificate Services (AD CS). The service is commonly deployed for internal certificates, smart cards, or authentication, yet is often ignored from a security perspective.
During enumeration, the team identified a certificate template with some very dangerous settings assigned to it. First, any authenticated user could request a certificate from it. But even worse, the template allowed the requester to specify who the certificate was issued for.
In short, withholding this configuration allowed any regular user to request a certificate that impersonated another user, including a Domain Admin.
Understanding AD CS Misconfiguration (ESC2)
This particular weakness is more commonly referred to as ESC2, an Active Directory certificate escalation technique.
The vulnerable template had four critical issues:
• It enabled client authentication. In other words, certificates could be used for login.
• It granted enrollment rights to all domain users.
• It did not require approval before issuing certificates.
This allowed the requesting party to define the certificate subject, thereby allowing impersonation.
With this configuration, any regular user could request a certificate for the Domain Administrator account without knowing the password or invoking authentication challenges.
This bypasses passwords altogether. It also bypasses MFA.
From Active Directory's perspective, the certificate is trusted. If the certificate is valid, authentication succeeds.
Exploitation: Becoming Domain Admin without a password
The attacker used the stolen user credentials to request a certificate for the built-in Administrator account.
The certificate authority issued the requested certificate without hesitation. Seconds later, the attacker had a valid administrator certificate, stored in a PFX file. Using this certificate, the attacker authenticated to Active Directory via Kerberos certificate-based authentication. The domain controller accepted the login and issued a full administrator session.
At this point, the domain was successfully compromised.
No alerts fired. No login failures took place. As far as logging was concerned, it appeared to be a valid administrative login.
Credential Theft & Domain Control
With Domain Admin access, the attacker rapidly set about establishing long-term control.
They managed to access a domain controller and exfiltrated credential data, including the NTLM password hashes of privileged accounts. In real attacks, this often includes the KRBTGT account, which allows attackers to forge Kerberos tickets indefinitely.
With these credentials, the attacker did not rely on certificates or stolen passwords anymore. They had many ways of authenticating and moving laterally.
Lateral Movement and Persistence
Using the pass-the-hash techniques, the attacker gained access to other critical environment servers. File servers, application servers, and management systems were reachable with administrative privileges.
In addition, a new domain account was created and joined to the group called Domain Admins; this would be the hidden backdoor account that would survive should the original credentials be changed or certificates revoked.
In this phase, the attacker could:
• Access all data
• Disable security tools
• Deploy malware or ransomware
• Modify group policies
• Maintain long-term stealth access
This was a complete loss of domain integrity from a defensive standpoint.
Business Impact and Risk
The worst security incidents that can happen to an organization are those that include a full Active Directory compromise.
Attackers leveraging Domain Admin can impersonate executives, access confidential data, disrupt operations, and deploy ransomware across the entire environment.
What makes this scenario particularly dangerous is the quietness of it: no exploits, no malware, and no obvious alerts.
Everything happens via trusted services, valid credentials, and legitimate administrative workflows.
Strong passwords and patching would have been insufficient to prevent this attack.
Key Lessons Learned
The instant case underlines several critical realities:
• Wireless security misconfigurations may directly lead to domain compromise.
• AD CS is considered a high-risk service and should be treated as such.
• Certificate-based authentication, if misconfigured, can bypass MFA.
• If configuration mistakes exist, then attackers don’t need exploits.
Breaches all too often happen at the seams of systems, not in individual controls themselves.
Remediation and Prevention
The organization made the following key changes after the engagement:
Secure Enterprise Wi-Fi
All corporate devices were configured to perform strict authentication certificate validation. Users could not bypass warnings anymore. Authentication based on certificates was considered first.
AD CS Hardening
Removed dangerous certificate templates. Subject name injection appears to be disabled. Enrollment permissions are limited to particular accounts.
Require Certificate Approval
High-risk certificate templates must now be manually approved before issuance.
Certificate Activity Monitoring
Certificate issuance and authentication events are actively monitored and alerted on.
Minimize Credential Exposure
Privileged accounts are isolated, administrative usage is restricted, and credential reuse is at a minimum.
Final Thoughts: This incident shows how attackers chain small weaknesses into catastrophic outcomes. It took only a single Wi-Fi misconfiguration and an uncared-for certificate template to hand over the entire domain. Organizations need to be constantly checking not just what is deployed, but how it is configured. The most dangerous vulnerabilities are often those hiding in plain sight. Security is not just about stopping exploits; it's about closing the paths that the attackers actually use.
