Certipy
Certipy is an open-source tool used for Active Directory discovery and abuse, particularly around Active Directory Certificate Services (AD CS) and collection of Active Directory-related credential and certificate data. In the provided reporting, Cisco Talos observed the China-linked threat actor UAT-8837 deploying Certipy during post-compromise activity against critical infrastructure organizations in North America since at least 2025. The actor used it alongside tools such as Rubeus, SharpHound, Impacket, GoExec, Earthworm, and DWAgent after gaining initial access via exploitation of vulnerable servers or use of compromised credentials, including in activity involving Sitecore vulnerability CVE-2025-53690. Talos specifically described Certipy as being used for AD discovery and abuse and for enumerating Active Directory users, groups, SPNs, service accounts, and domain relationships, as well as collecting Active Directory-related credential and certificate data. The reporting does not provide Certipy-specific indicators of compromise, but places its use within broader UAT-8837 intrusions involving credential harvesting, Kerberos abuse, remote execution, tunneling, and Active Directory reconnaissance.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniquePersistence
3 techniquesThe result is a certificate being issued with the privileges of that AD security group, and all groups it is a member of, even if the requester is not part of those groups.
Any principal with GenericAll or WriteProperty on the dMSA (obtainable by the creator through the Owner -> WriteDacl -> GenericAll chain) can plant a Shadow Credential. A Shadow Credential is an X.509 certificate written to msDS-KeyCredentialLink that enables PKINIT authentication.
Privilege Escalation
3 techniquesThe result is a certificate being issued with the privileges of that AD security group, and all groups it is a member of, even if the requester is not part of those groups.
By leveraging misconfigurations in ADCS implementations, threat actors are able to escalate their privileges and impersonate high-value domain accounts, up to and including domain admins, possibly leading to full domain compromise.
Stealth
1 techniqueDefense Impairment
1 techniqueAny principal with GenericAll or WriteProperty on the dMSA (obtainable by the creator through the Owner -> WriteDacl -> GenericAll chain) can plant a Shadow Credential. A Shadow Credential is an X.509 certificate written to msDS-KeyCredentialLink that enables PKINIT authentication.
Credential Access
4 techniquesAny principal with GenericAll or WriteProperty on the dMSA (obtainable by the creator through the Owner -> WriteDacl -> GenericAll chain) can plant a Shadow Credential. A Shadow Credential is an X.509 certificate written to msDS-KeyCredentialLink that enables PKINIT authentication.
Figure 9: PKINIT authentication as dmsa-adriana using the planted certificate. Cert in, hash out. Yes, this is UnPAC-the-hash... The KDC checks GroupMSAMembership, finds the dMSA's own SID, approves the request, and returns the KERB-DMSA-KEY-PACKAGE containing the superseded account's RC4 (NT hash).
Through these techniques, threat actors abuse certificate templates which don’t require manager approval and include enrollment rights for low privileged users / groups.
So a better option is shadow credentials attack... We will use this ACE to change the target user’s attribute msDS-KeyCredentialLink to our public key
Discovery
3 techniques“SharpHound & Certipy: Used for deep reconnaissance of Active Directory environments.”
The first step for threat actors after initial access is usually enumeration. Threat actors need to enumerate the certificate templates available for their compromised user as well as other AD attributes, in order to determine whether any of the ESC techniques is viable.
Certipy, a tool for Active Directory discovery and abuse
Lateral Movement
2 techniquesStage 5 - PKINIT authentication Authenticate as the dMSA using the planted certificate: Figure 9: PKINIT authentication as dmsa-adriana using the planted certificate.
Now using this hash, authenticate to Machine with evil-winrm... evil-winrm -i 10.10.11.41 -u management_svc -H a091c1832bcdd4677c28b5a6a1295584
Collection
1 techniqueIt leverages endpoint process and filesystem data to spot the creation of files with specific names or extensions associated with Certipy's information gathering and exfiltration activities.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An AD CS enumeration/abuse tool used to collect certificate-related data and facilitate credential access via certificate services misconfigurations.
A tool used for Active Directory discovery and abuse, particularly in certificate services contexts.
Tool for enumerating and abusing AD CS misconfigurations to escalate privileges and obtain persistence via certificate-based attacks.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.