Back to Intelligence

Metasploit 2026 Update: New Kerberos & Certificate Tracing — Detection and Hardening

SA
Security Arsenal Team
June 12, 2026
6 min read

In the June 2026 Metasploit Weekly Update, Rapid7 introduced significant quality-of-life improvements for operators: KerberosTicketTrace and CertificateTrace. While these options are designed to streamline debugging and module development, they represent a maturation of the offensive toolset available to adversaries. By providing granular visibility into Kerberos tickets and digital certificates handled by modules, Metasploit lowers the barrier to successfully exploiting complex Active Directory (AD) environments.

For defenders, this update signals a shift. Attackers can now more easily troubleshoot failures in Kerberoasting, Golden Ticket creation, or PKI abuse (ESC1/ESC8) attempts. This blog post breaks down the technical implications of these updates and provides actionable detection and remediation strategies to harden your environment against these evolving techniques.

Technical Analysis

Affected Products and Platforms:

  • Metasploit Framework: All versions updating to the June 2026 release.
  • Target Environment: Primarily Windows Active Directory domains (Windows Server 2016+).

New Capabilities:

  1. KerberosTicketTrace: This option enables verbose logging for Kerberos tickets. When a module (e.g., auxiliary/admin/kerberos/get_ticket) interacts with the KDC, the framework now logs the raw ticket data, encryption types, and service principal names (SPNs) being requested or manipulated. This aids attackers in verifying if a forged ticket is structurally sound before attempting lateral movement.
  2. CertificateTrace: Similar to the Kerberos option, this enables debugging output for Certificate operations. This is critical for modules abusing Active Directory Certificate Services (AD CS), allowing adversaries to inspect certificate signing requests (CSR), templates, and the resulting certificates in real-time.

The Threat Perspective: The primary risk is not a new vulnerability, but the optimization of the attack chain. Attackers using Metasploit to perform credential dumping or PKI misconfiguration abuse can now iterate faster. Instead of failing silently or receiving generic errors, they now have forensic-level detail on why an exploit failed, allowing them to tweak parameters (e.g., changing etype for Kerberos or altering Subject Alternative Names for certificates) until success is achieved.

Detection & Response

Given that Metasploit is a ubiquitous offensive tool, detecting its execution—particularly when it engages with sensitive authentication protocols—is a high-value SOC capability. The following rules and queries focus on identifying the execution of the Metasploit framework and suspicious process interactions typical of Kerberos and Certificate manipulation.

SIGMA Rules

YAML
---
title: Metasploit Console Execution
id: 66a9c3a1-2d44-4f9b-8f8c-9d1234567890
status: experimental
description: Detects the execution of the Metasploit console (msfconsole) or related Ruby processes often used to launch modules.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/06/16
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\ruby.exe'
      - '\rubyw.exe'
    CommandLine|contains:
      - 'msfconsole'
      - 'msfvenom'
  condition: selection
falsepositives:
  - Legitimate Ruby development or administration tools (rare on endpoints)
level: high
---
title: Suspicious Child Process of Ruby Interpreter
id: 77b1d4b2-3e55-5a0c-9g9d-0e2345678901
status: experimental
description: Detects suspicious command-line interpreters or system tools spawned as a child of Ruby, which may indicate Metasploit module execution.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/06/16
tags:
  - attack.execution
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\ruby.exe'
      - '\rubyw.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\powershell_ise.exe'
      - '\bash.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Rare, legitimate Ruby scripts invoking system shells
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Metasploit Framework execution and potential Kerberos/Certificate activity
let MetasploitProcesses = 
  DeviceProcessEvents 
  | where Timestamp > ago(7d)
  | where FileName has "ruby" and (ProcessCommandLine has "msfconsole" or ProcessCommandLine has "msf");
// Cross-reference with network connections to domain controllers or KDC ports
MetasploitProcesses 
| join kind=inner (DeviceNetworkEvents 
  | where RemotePort in (88, 443, 445, 135) 
  | where InitiatingProcessFileName has "ruby") on DeviceId, InitiatingProcessId
| project Timestamp, DeviceName, FileName, ProcessCommandLine, RemoteUrl, RemotePort, RemoteIP
| summarize count() by DeviceName, FileName, RemotePort

Velociraptor VQL

VQL — Velociraptor
-- Hunt for Ruby processes indicative of Metasploit usage
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'ruby.exe'
   AND (CommandLine =~ 'msfconsole' OR CommandLine =~ 'msf')
-- Identify children of Ruby processes
SELECT Parent.Name AS ParentName, Child.Pid, Child.Name, Child.CommandLine
FROM pslist()
LEFT JOIN pslist() AS Child ON Child.Ppid = pslist.Pid
WHERE pslist.Name =~ 'ruby.exe'
  AND Child.Name IN ('powershell.exe', 'cmd.exe', 'whoami.exe', 'klist.exe')

Remediation Script

The following PowerShell script audits common Active Directory Certificate Services (AD CS) misconfigurations that are often targeted by the modules now enhanced by CertificateTrace (e.g., ESC1, ESC2, ESC8). Run this on a machine with AD RSAT tools or a Domain Controller.

PowerShell
# Audit AD CS Certificate Templates for ESC1 and ESC8 vulnerabilities
# Requires Active Directory module

Import-Module ActiveDirectory

Write-Host "[+] Auditing Certificate Templates for Misconfigurations..." -ForegroundColor Cyan

# Get all Certificate Templates
$templates = Get-ADObject -LDAPFilter "(objectClass=pKICertificateTemplate)" -Properties msPKI-Certificate-Name-Flag, msPKI-Enrollment-Flag, pKIExpirationPeriod, msPKI-RA-Signature

foreach ($template in $templates) {
    $name = $template.Name
    $flags = $template.'msPKI-Certificate-Name-Flag'
    $enrollmentFlags = $template.'msPKI-Enrollment-Flag'
    
    # ESC1 Check: ENROLLEE_SUPPLIES_SUBJECT
    if ($flags -band 0x00010000) {
        Write-Host "[ALERT] ESC1 Potential: '$name' allows any user to supply Subject (SAN)." -ForegroundColor Red
    }
    
    # ESC8 Check: ENROLLEE_SUPPLIES_SUBJECT (stronger check often linked to ESC8 scenarios)
    # Also checking for "Any Purpose" EKUs which is dangerous
    $ekus = $template | Select-Object -ExpandProperty pKIExtendedKeyUsage -ErrorAction SilentlyContinue
    if ($ekus -eq $null) {
        Write-Host "[WARNING] Template '$name' has no EKUs defined (Any Purpose)." -ForegroundColor Yellow
    }
}

# Check for ESC1 on specific templates vulnerable to current campaigns
$vulnerableTemplates = @("User", "Machine", "WebServer")
$adcsTemplates = Get-CATemplate | Where-Object { $vulnerableTemplates -contains $_.Name }

if ($adcsTemplates) {
    Write-Host "[ALERT] Found enabled templates matching common vulnerable names: $($adcsTemplates.Name -join ', ')" -ForegroundColor Red
} else {
    Write-Host "[+] No common vulnerable templates enabled." -ForegroundColor Green
}

Write-Host "[+] Audit Complete." -ForegroundColor Cyan

Remediation

While there is no specific vulnerability (CVE) to patch in this scenario, the new tracing capabilities in Metasploit highlight the need to harden Kerberos and PKI infrastructures against more effective automated attacks.

1. Harden Kerberos Configuration:

  • Enable Kerberos Armoring (FAST): This protects the pre-authentication data, making ticket requests harder to intercept or forge, which mitigates the effectiveness of Kerberos-focused debugging.
  • Audit SPNs: Regularly scan for Service Principal Names (SPNs) associated with high-privilege accounts to prevent Kerberoasting attacks.

2. Harden Active Directory Certificate Services (AD CS):

  • Review Template Access Control: Ensure that low-privileged users do not have enrollment rights on sensitive templates (e.g., Domain Controller, Web Server templates).
  • Disable ESC1/ESC2: Remove the "ENROLLEE_SUPPLIES_SUBJECT" flag from templates that allow high-privilege authentication.
  • Patch Certificate Authority (CA) Servers: Ensure Windows Server CAs are fully patched against recent AD CS vulnerabilities (e.g., CVE-2022-26923 logic) to prevent certificate spoofing.

3. Monitoring Strategy:

  • Deploy the provided Sigma rules to detect Metasploit usage immediately.
  • Alert on uncommon access to the pkiEnrollmentService or specific KDC error logs (Event ID 4768/4769) showing patterns of failure followed by success (brute-forcing/debugging).

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionmetasploitactive-directorykerberos

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action