Research by:  
Balthasar Martin, Niklas van Dornick

Certiception: The ADCS honeypot we always wanted

We regularly challenge and beat Fortune500 defenses. Often times, a decent ADCS honeypot could have stopped us. So we built one.

We are excited to release Certiception, our Active Directory Certificate Services (ADCS) honeypot tool.

Developed by the SRLabs Red Team, Certiception is designed to trap attackers with a realistic and attractive bait that triggers highly relevant alerts. Certiception comes with an extensive deception strategy guide.

What is Certiception?

Certiception sets up a vulnerable certificate template in your ADCS environment. While the template looks unsuspicious and attractive to attackers, restrictions prevent actual exploitation. Any attempted exploitation fails and triggers a meaningful alert.

Why Honeypots?

In our Red Team and Incident Management engagements we regularly observe that lateral movement and privilege escalation go undetected. If detections trigger at all, they are not reacted to in a timely manner, because false positives are commonplace.

Internal honeypots offer great potential if placed and configured well

Internal honeypots, also known as canaries or deception technologies, provide a highly effective and cost-efficient method to trigger meaningful alerts when threats bypassed initial defenses:

  • Low Effort and Cost: Setup can rely on existing tools such as a SIEM.
  • High Relevance Alerts: A triggered honeypot hints at a significant threat, so the alerts are worth investigating.
  • Low Noise: Designed to trigger only on malicious activity, internal honeypots have a low false positive rate.

Despite their potential, we regularly encounter fundamentally ineffective deception setups. To help defenders create more effective honeypots, our slide release for Certiception contains a strategic guide to deception and how to get started.

ADCS is an ideal honeypot location

Active Directory Certificate Services (ADCS) is an ideal location for a honeypot:

  • Easy Access: Accessible by all domain users, ADCS is easy for attackers to discover.
  • High Stakes: Vulnerabilities can lead to full domain compromise, making exploitation highly attractive.
  • Common Knowledge: Vulnerabilities and exploitation tools are widely known.
  • Authenticity: Vulnerable ADCS templates are commonplace, raising little contempt.
  • Under-Monitored: Many networks barely monitor ADCS, encouraging even cautious attackers to dare exploitation.

How does Certiception work?

Certiception sets up a new Certificate Authority (CA) in your environment and configures an ESC1 honeypot. Extended Audit Logs and SIGMA rules for your SIEM set the foundation for effective and meaningful alerting. Continuous Checks catch any other CA enabling the vulnerable template.

Get Started with Certiception! Certiception is available open source on Github.

For a detailed guide on setting up honeypots and using Certiception, check out our strategic guide and Troopers24 presentation "The Red Teamers’ Guide to Deception".

Balthasar Martin: @BalthasarMartin / @balthasar@infosec.exchange
Niklas van Dornick: @n1v4d0 / @n1v4d0@infosec.exchange

Explore more

aLL articles
Honeypot research shows variety of DDoS amplification methods
Decrypting GSM phone calls
device hacking
open source
Outdated payment protocols expose customers and merchants
device hacking