ADCS ESC14: a writable mapping that turns any cert into admin
An attacker writes an explicit certificate mapping onto a privileged account and, under weak binding, authenticates as it. The password was never the control, so you enforce strong binding.
Active Directory can map a certificate to an account explicitly through the altSecurityIdentities attribute, which is how some legitimate smart-card and cross-forest setups work. ESC14 abuses that mapping to impersonate a privileged account without ever touching its password.
How the attack works
An attacker with write access to a privileged account’s altSecurityIdentities adds an explicit certificate mapping pointing to a certificate they control. The certificate need not have been issued to the target, only match the issuer and subject the mapping specifies. Because the domain still allows weak certificate binding, that attacker-held certificate now maps to the privileged account. The attacker authenticates to a domain controller using the mapped certificate and receives a Kerberos ticket for the privileged account, then exercises that context against Tier-0 resources. In ATT&CK terms this is T1649, Steal or Forge Authentication Certificates, with T1098, Account Manipulation. The tell is an altSecurityIdentities write on a privileged account followed by authentication from a certificate that account never held.
Why it works
The grant is the mapping plus weak binding, not a credential. Resetting the account password is irrelevant because the certificate authentication never used the password.
How to fix it
Remove the rogue altSecurityIdentities mapping and enforce strong certificate binding so weak issuer-and-subject mappings stop authenticating. Revoking the one certificate is not enough, because the attacker can present another that matches the mapping. Then audit and lock down who can write altSecurityIdentities on privileged accounts, and migrate any legitimate explicit mappings to strong, SID-based mappings. Sweep current mapping values across privileged accounts to catch any already in place.
Practice it
We built this as a GraphLattice Range scenario so administrators can rehearse the mapping-write detection and the strong-binding enforcement that closes it.