Certiception: An Active Directory Certificate Services Honeypot

This morning, I stumbled across a post highlighting a honeypot designed for Active Directory Certificate Services. It is called Certiception, and the contribution is from the fine team over at SRLabs, a German research company. The following is the background and value proposition for the tool in their own words:

Background

Certiception is a honeypot for Active Directory Certificate Services (ADCS), designed to trap attackers with a realistic and attractive bait that triggers highly relevant alerts.

Developed by the SRLabs Red Team, Certiception creates a vulnerable-looking certificate template in your ADCS environment, sets up restrictions to prevent exploitation, and supports in setting up effective alerting.

Originally released at Troopers24, Certiception comes with a strategic guide to effective deception: The Red Teamers’ guide to deception

tl;dr: From an attacker’s perspective: Looks vulnerable, Exploitation fails¹.

In our Red Team and Incident Management engagements we regularly observe that lateral movement and privilege escalation go undetected. If detections trigger at all, they are not reacted to in a timely manner, because false positives are commonplace. We believe internal honeypots (aka. canaries, aka. deception tech) are an effective way for defenders to catch threats that make it through initial defenses.

Internal honeypots are intentional traps for attackers placed in your network. They look vulnerable but trigger an alert on exploitation. Here’s why we think deception has great potential:

• Low effort and cost: Setup can rely on existing tools such as a SIEM.
• High relevance alerts: A triggered honeypot hints at a significant threat, so the alerts are worth investigating.
• Low noise: Designed to trigger only on malicious activity, internal honeypots have a low false positive rate.

Despite their potential, we regularly encounter fundamentally ineffective deception setups. To help defenders create more effective honeypots, Certiception comes with an extensive deception strategy guide.

Active Directory Certificate Services (ADCS) is an ideal location for a honeypot:

1. Easy Access: Accessible by all domain users, ADCS is easy for attackers to discover.
2. High Stakes: Vulnerabilities can lead to full domain compromise, making exploitation highly attractive.
3. Common Knowledge: Vulnerabilities and exploitation tools are widely known.
4. Authenticity: Vulnerable ADCS templates are commonplace, raising little contempt.
5. Under-Monitored: Many networks barely monitor ADCS, encouraging even cautious attackers to dare exploitation.

This is why we built Certiception².

Architecture and Operation of Certiception

According to the authors of their GitHub page, Certiception is designed to resemble a new Certificate Authority (CA) in the environment. The tool configures an ESC1 honeypot, installs and configures the TameMyCerts policy module to stop issuance if a Certificate Signing Request (CSR) contains a Subject Alternative Name (SAN), enables an extended audit log to include template names in event logs, prints a SIGMA rule for your SIEM, and eventually will set up continuous checks with Certify to catch any other CA enabling the vulnerable template³.

Initial Analysis of Certiception

Certiception is being released to the open source community as a means for providing a high fidelity, low noise warning system for Active Directory Certificate Services. While general, stable usage is not expected for a week or so as they continue to provide stability and usability improvements, the tool promises to address a juicy target on most Active Directory implementations: Certificate Services. ADCS is extremely easy to discover in the environment, as it is accessible to all users in AD.

Generally speaking, honeypots and other deception technologies can be a great compliment in an Enterprise setting, as they are generally low effort to set up and inexpensive to implement. They produce high relevance alerts, signifying a significant threat. Finally, they are low noise, designed to trigger only on malicious activity⁴.

In my opinion, Certiception checks off all of the boxes for a solid contribution to the Information Security industry. While it remains to be seen how stable or reliable Certiception is, early indications are that the tool has the potential to be incredibly valuable in an Active Directory environment. I look forward to installing and interacting with the tool.

1. SRLabs, Certiception, (2024), GitHub Repository, https://www.github.com/srlabs/certiception ↩︎
2. SRLabs, Certiception, (2024), GitHub Repository, https://www.github.com/srlabs/certiception ↩︎
3. SRLabs, Certiception, (2024), GitHub Repository, https://www.github.com/srlabs/certiception ↩︎
4. SRLabs. (2024, July 10). Certiception: The ADCS Honeypot We Always Wanted. Retrieved from Security Research Labs: https://www.srlabs.de/blog-post/certiception-the-adcs-honeypot-we-always-wanted ↩︎