Cyber security

Certiception – Reinventing Network Security With Deceptive Active Directory Certificate Services

Certiception is a honeypot for Active Directory Certificate Services (ADCS), designed to trap attackers with a realistic and attractive bait that triggers highly relevant alerts.

Developed by the SRLabs Red Team, Certiception creates a vulnerable-looking certificate template in your ADCS environment, sets up restrictions to prevent exploitation, and supports in setting up effective alerting.

Originally released at Troopers24, Certiception comes with a strategic guide to effective deception: The Red Teamers’ guide to deception

Background

In our Red Team and Incident Management engagements we regularly observe that lateral movement and privilege escalation go undetected.

If detections trigger at all, they are not reacted to in a timely manner, because false positives are commonplace.

We believe internal honeypots (aka. canaries, aka. deception tech) are an effective way for defenders to catch threats that make it through initial defenses.

Internal honeypots are intentional traps for attackers placed in your network.

They look vulnerable but trigger an alert on exploitation. Here’s why we think deception has great potential:

  • Low effort and cost: Setup can rely on existing tools such as a SIEM.
  • High relevance alerts: A triggered honeypot hints at a significant threat, so the alerts are worth investigating.
  • Low noise: Designed to trigger only on malicious activity, internal honeypots have a low false positive rate.

Despite their potential, we regularly encounter fundamentally ineffective deception setups. To help defenders create more effective honeypots, Certiception comes with an extensive deception strategy guide.

Active Directory Certificate Services (ADCS) is an ideal location for a honeypot:

  1. Easy Access: Accessible by all domain users, ADCS is easy for attackers to discover.
  2. High Stakes: Vulnerabilities can lead to full domain compromise, making exploitation highly attractive.
  3. Common Knowledge: Vulnerabilities and exploitation tools are widely known.
  4. Authenticity: Vulnerable ADCS templates are commonplace, raising little contempt.
  5. Under-Monitored: Many networks barely monitor ADCS, encouraging even cautious attackers to dare exploitation.

This is why we built Certiception.

Concept

Certiception sets up a new CA in your environment and configures an ESC1 honeypot.

It is implemented as an Ansible playbook calling multiple roles. Overall, the following steps are executed:

  • Set up a new CA, add a “vulnerable” ESC1 template and enable it only on the new CA
  • Install and configure the TameMyCerts policy module to prevent issuance if certificate signing requests contain a SAN
  • Enable extended audit log to include template names in event logs
  • Print a SIGMA rule to set up alerting in your SIEM
  • Set up continuous checks with Certify to catch any other CA enabling the vulnerable template (not pushed yet, will be added to the repo in the next days)

Parameters like the CA or template name can be customized to disguise the honeypot.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

SpyAI : Intelligent Malware With Advanced Capabilities

SpyAI is a sophisticated form of malware that leverages advanced technologies to capture and analyze…

3 hours ago

Proxmark3 : The Ultimate Tool For RFID Security And Analysis

The Proxmark3 is a versatile, open-source tool designed for radio-frequency identification (RFID) security analysis, research,…

3 hours ago

Awesome Solana Security : Enhancing Program Development

The "Awesome Solana Security" collection is a comprehensive resource designed to help developers build more…

3 hours ago

IngressNightmare-POCs : Understanding The Vulnerability Exploitation Flow

The "IngressNightmare" vulnerabilities, disclosed in March 2025, represent a critical set of security issues affecting…

4 hours ago

AdaptixC2 : Enhancing Penetration Testing With Advanced Framework Capabilities

AdaptixC2 is an advanced post-exploitation and adversarial emulation framework designed specifically for penetration testers. It…

4 hours ago

Bincrypter : Enhancing Linux Binary Security through Runtime Encryption And Obfuscation

Bincrypter is a powerful Linux binary runtime crypter written in BASH. It is designed to…

4 hours ago