The certificate connector as a credential factory: SCEP and PKCS abuse

The Intune SCEP or PKCS certificate connector is a credential factory. It mints certificates that authenticate as devices and users. If an attacker can retarget the issuance profile, they can mint a certificate to be anyone.

How the attack works

The attacker modifies a SCEP or PKCS certificate profile to broaden the subject, the subject alternative name, or the target scope, covering identities they want to impersonate. The connector then mints device or user certificates through the altered profile. Because a trusted connector issued them, they look legitimate and pass certificate-based authentication, reaching corporate resources as the targeted identity. In ATT&CK terms this is Steal or Forge Authentication Certificates, T1649, leading to Use Alternate Authentication Material, T1550.

Why it works

Certificate-based auth is meant to attest a real identity, but the issuance pipeline can be quietly retargeted. A certificate authenticating, an online connector, and devices requesting certificates are all normal behavior, so the abuse hides inside expected activity. The profile change in the audit log, just before issuance and authentication, is the only clear tell.

How to fix it

You cannot reset a password against a certificate, and you cannot revoke just the one you saw. Treat every certificate issued through the abused profile as compromised: revoke all of them, rotate the certificate connector’s credentials, and disable the altered profile so issuance stops. For the durable fix, restrict who can edit certificate profiles, least-privilege the connector and its issuance, and monitor and reconcile issuance against expected requests while alerting on profile changes.

Practice it

We built this as a GraphLattice Range scenario so administrators can rehearse spotting a broadened issuance profile, revoking the minted certs, and rotating the connector trust.