16 (ESC1-ESC16)
AD CS ESC techniques documented
Majority of sophisticated intrusions
IR engagements citing AD CS abuse
Under 5 minutes
Time to domain admin via ESC1 from domain user

Active Directory Certificate Services (AD CS) misconfigurations are now a standard privilege escalation path in sophisticated ransomware intrusions. The SpecterOps 'Certified Pre-Owned' research (2021) documented the original ESC1-ESC8 techniques; the community has since extended this to ESC16, and Akira (REDBIKE), Qilin, and LockBit affiliates are all documented using AD CS escalation in 2026 intrusion reports.

The core problem: AD CS is a complex Microsoft PKI that has been deployed in most large enterprise Active Directory environments for 10-20 years, often configured permissively and rarely audited. A single misconfigured certificate template can allow any domain user to obtain a certificate that authenticates as a domain administrator, completing a full privilege escalation in under five minutes with freely available tooling.

AD CS Background: Why It Is a High-Value Target

Active Directory Certificate Services is Microsoft's enterprise PKI, issuing X.509 certificates for authentication, code signing, email encryption, and TLS. In Active Directory environments, certificates can be used for Kerberos authentication via PKINIT: a client presents a certificate instead of a password, and the domain controller validates it against the issuing CA and issues a Kerberos TGT.

This creates a powerful privilege escalation path: if an attacker can obtain a certificate that the domain controller will accept as authenticating a privileged user (such as the domain administrator), they have effectively obtained domain administrator access without needing the password and without triggering password-based authentication alerts.

Why AD CS misconfigurations persist:

  • Certificate templates are configured during PKI setup by server teams, not security teams, and default templates are often overly permissive
  • AD CS has no equivalent of 'BloodHound for certificates' in most security stacks: the misconfigurations are invisible without specific tooling
  • Certificate templates rarely get security reviewed after initial setup
  • Many organizations do not know what certificate templates exist or who can enroll in them

Impact of a successful AD CS escalation:

  • Domain Administrator TGT issuance (full domain compromise)
  • Persistence via certificate-based authentication that survives password resets (the certificate remains valid until it expires)
  • Potential for golden certificate forgery if CA private key is compromised (persists until CA is rebuilt)

The Five Most Exploited ESC Techniques

The full ESC1-ESC16 taxonomy is documented in the SpecterOps and community research. These five are the most frequently exploited in real intrusions.

ESC1: Misconfigured Certificate Template Enrollment Rights

A certificate template is configured to allow any authenticated user (or Domain Users) to enroll, the template allows the enrollee to specify a Subject Alternative Name (SAN) in the request, and the certificate can be used for client authentication. An attacker enrolls in the template, sets the SAN to 'Administrator', and obtains a certificate that authenticates as the domain administrator. This is the most common and easily exploitable ESC class. Remediation: disable the 'Supply in the request' SAN setting on templates that allow broad enrollment, OR restrict enrollment to specific service accounts only.

ESC4: Vulnerable Certificate Template Access Control

The certificate template's Access Control List (ACL) grants a low-privileged principal Write permissions over the template object in AD. The attacker modifies the template to introduce ESC1 conditions (enable SAN supply, add client auth EKU), exploits it to obtain a privileged certificate, then optionally restores the template to avoid detection. Remediation: audit certificate template ACLs for any non-admin principal with WriteProperty, WriteDACL, WriteOwner, or GenericWrite permissions. These should only be held by Enterprise Admins and CA administrators.

ESC8: NTLM Relay to AD CS HTTP Enrollment Endpoint

If AD CS is configured with the Certificate Authority Web Enrollment or Certificate Enrollment Web Service interface, and these endpoints accept NTLM authentication over HTTP (not HTTPS with EPA), an attacker can relay NTLM authentication from a domain controller to the enrollment endpoint and obtain a domain controller certificate. Combined with DCSync, this enables full domain compromise. Remediation: enable Extended Protection for Authentication (EPA) on all AD CS web enrollment endpoints. Disable NTLM authentication on enrollment endpoints if possible. Enforce HTTPS with certificate pinning.

ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 CA Flag

The CA is configured with the EDITF_ATTRIBUTESUBJECTALTNAME2 flag, which allows any certificate request to include a user-specified Subject Alternative Name regardless of template settings. If combined with a template that allows broad enrollment and client authentication, any domain user can request a certificate for any user including domain admins. Remediation: remove EDITF_ATTRIBUTESUBJECTALTNAME2 from all CAs. Audit with: certutil -getreg policy\EditFlags on each CA server.

ESC9 and ESC10: No Security Extension on Templates

ESC9 occurs when a certificate template has the CT_FLAG_NO_SECURITY_EXTENSION flag set, preventing the issued certificate from including the SID of the requesting user. This allows certificate-based authentication to bypass SID mapping protections. ESC10 occurs when specific registry configurations allow certificate-based authentication to authenticate as other users without a SID match. Both are more complex to exploit but provide covert persistence. Remediation: ensure all certificate templates include security extension (avoid CT_FLAG_NO_SECURITY_EXTENSION), and configure StrongCertificateBindingEnforcement on domain controllers (registry: HKLM\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement = 2).

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Auditing Your AD CS Environment with Certipy

Certipy is the primary open source tool for AD CS enumeration and exploitation. Run it in your environment to identify vulnerable templates before attackers do.

Installation:

pip install certipy-ad

Find vulnerable templates (from domain-joined system or with domain credentials):

certipy find -u 'domain_user@domain.com' -p 'password' -dc-ip 10.0.0.1

This generates a JSON and BloodHound-format output listing all certificate templates, their enrollment rights, EKUs, and whether they are vulnerable to each ESC class.

Enumerate from BloodHound: Certipy can output to BloodHound format, which visualizes attack paths through AD CS alongside regular AD attack paths. Import the Certipy output into BloodHound to see combined AD privilege escalation paths that include certificate-based escalation steps.

Check CA flags:

certipy find -u 'domain_user@domain.com' -p 'password' -dc-ip 10.0.0.1 -enabled

The -enabled flag shows only enabled templates. Pay attention to:

  • Templates with [+] Vulnerable tags in the output
  • Client Authentication or Smart Card Logon in the EKU list
  • CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag (SAN supply enabled)
  • Domain Users or Authenticated Users in the enrollment rights

What to do with Certipy output: For every template flagged as vulnerable, evaluate: (1) Is this template actually in use? Pull enrollment statistics from the CA logs. (2) Can the enrollment rights be restricted to specific accounts? (3) Can the SAN supply flag be disabled? (4) Does the template need client authentication EKU, or can a more restrictive EKU be used?

Run Certipy quarterly and after any PKI infrastructure changes. Include AD CS audit in your regular red team or internal penetration test scope.

Hardening Controls: Closing ESC Vulnerabilities

AD CS hardening follows a consistent pattern: restrict who can enroll, restrict what can be included in the certificate request, and monitor for anomalous certificate issuance.

1. Audit and restrict certificate template enrollment rights

For every template that allows Authenticated Users or Domain Users to enroll:

  • Replace with specific service accounts or security groups if the template has a legitimate use case
  • Disable the template if it has no current use (check CA audit logs for recent issuance)
  • Set Manager Approval required for any high-privilege template that cannot be restricted

2. Disable 'Supply in the request' SAN for user enrollment templates

In Certificate Templates MMC (certtmpl.msc): select the template, Properties, Subject Name tab, verify that 'Supply in the request' is NOT selected for templates where Domain Users can enroll. 'Build from this Active Directory information' is the safe setting.

3. Enable EPA on all AD CS web enrollment endpoints

For Certificate Authority Web Enrollment and Certificate Enrollment Web Service:

  • Open IIS Manager on the CA server
  • For the enrollment application, set Authentication > Windows Authentication > Advanced Settings > Extended Protection: Required
  • Restart IIS

4. Remove EDITF_ATTRIBUTESUBJECTALTNAME2 from CA configuration

certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc && net start certsvc

Verify the flag is removed:

certutil -getreg policy\EditFlags

5. Enable StrongCertificateBindingEnforcement on domain controllers

This enforces SID-based certificate-to-account binding, blocking ESC9/ESC10 exploitation:

# Set on all DCs (2 = Full Enforcement Mode)
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\Kdc' -Name 'StrongCertificateBindingEnforcement' -Value 2 -Type DWord

Note: Microsoft is enforcing this by default in a phased rollout through 2025-2026 Windows updates. Verify your DCs have the required patches and the registry value is set.

6. Enable AD CS audit logging

# Enable Certificate Services audit
auditpol /set /subcategory:'Certification Services' /success:enable /failure:enable

Audit events to monitor:

  • Event 4887: Certificate issued (alert on Domain Admin or high-privilege accounts)
  • Event 4768: Kerberos TGT request using certificate (PKINIT) for accounts that should not be using certificate auth
  • Event 4886: Certificate request received

Detection: Monitoring for AD CS Abuse

Detection complements hardening. Alert on these indicators of AD CS abuse in your SIEM.

Certificate issued to unexpected accounts:

SecurityEvent
| where EventID == 4887
| where TargetUserName contains "Administrator" or TargetUserName contains "DA-" or TargetUserName in (watch_list)
| where RequesterName != expected_service_accounts

PKINIT authentication from accounts that should not use certificate auth:

Kerberos TGT requests using certificate authentication (PKINIT) log with a specific pre-authentication type. Alert on domain admin accounts authenticating via certificate if you have not issued certificates to those accounts:

SecurityEvent
| where EventID == 4768
| where TargetUserName in (privileged_account_list)
| where CertThumbprint != ""
| where CertThumbprint !in (known_admin_certs)

Certipy/Certify tool execution:

Certipy and Certify make LDAP queries to enumerate certificate templates. They generate distinctive query patterns. Monitor for LDAP queries for pKICertificateTemplate objects from non-admin accounts or from unusual source IPs.

The bottom line

Active Directory Certificate Services misconfigurations are among the most impactful findings in an enterprise AD environment: a single vulnerable certificate template can allow any domain user to escalate to domain administrator in minutes. The defenses are well-understood: run Certipy now to enumerate your vulnerable templates, restrict enrollment rights to specific accounts rather than broad domain groups, disable SAN supply on templates with broad enrollment, remove the EDITF_ATTRIBUTESUBJECTALTNAME2 CA flag, and enable EPA on web enrollment endpoints. Enable StrongCertificateBindingEnforcement on all domain controllers to close the ESC9/ESC10 class. Include AD CS in your quarterly internal red team scope and monitor certificate issuance events for privileged account names. The cost of these mitigations is low; the cost of a ransomware intrusion that escalated via AD CS is not.

Frequently asked questions

What is an ESC attack against Active Directory Certificate Services?

ESC stands for Escalation via Certificate Services. ESC attacks exploit misconfigured AD CS certificate templates or CA settings to allow low-privilege users to obtain certificates that authenticate as high-privilege accounts (domain administrators). The SpecterOps 'Certified Pre-Owned' research documented ESC1-ESC8 in 2021; the community has since extended this to ESC16. The most exploited technique (ESC1) requires only a misconfigured certificate template that lets any domain user enroll and specify an arbitrary Subject Alternative Name, enabling certificate issuance for any user including domain admins.

What is Certipy and is it safe to run in production?

Certipy is an open source AD CS enumeration and exploitation tool written in Python. The `certipy find` command enumerates certificate templates, CA configurations, and identifies ESC vulnerabilities without modifying anything. It is safe to run in production in audit mode: it reads LDAP and ADSI objects the same way any authenticated domain user can. The exploitation commands (certipy req, certipy auth) should only be used in controlled testing with proper authorization. Run `certipy find` during your next internal security assessment; the output JSON provides a complete picture of your AD CS attack surface.

How do attackers use AD CS certificates for persistence?

Certificates provide stealthy persistence because they survive password resets. If an attacker obtains a certificate that authenticates as a domain admin using ESC1, and that certificate has a 1-year validity period, changing the domain administrator password does not invalidate the certificate. The attacker can continue to authenticate using the certificate until it expires or is explicitly revoked. This is why post-incident response must include revoking all certificates issued to compromised accounts: password rotation alone is insufficient in an environment where AD CS was abused.

Is AD CS hardening disruptive to existing PKI infrastructure?

The highest-impact hardening steps (restricting enrollment rights, disabling SAN supply, removing EDITF_ATTRIBUTESUBJECTALTNAME2) can disrupt applications that depend on the current permissive configuration. Always audit current usage before making changes: pull enrollment logs from the CA to see which templates have been used recently and by what accounts. For templates in active use, work with application teams to migrate to more restrictive templates. Changes to the CA flag (EDITF_ATTRIBUTESUBJECTALTNAME2) and StrongCertificateBindingEnforcement are lower-risk and should be applied broadly. EPA configuration for web enrollment endpoints requires IIS configuration changes that can be tested in pre-production.

How do I know if my organization has been compromised via AD CS?

Look for these indicators: (1) Kerberos TGT requests (Event 4768) using certificate-based pre-authentication (PKINIT) for domain admin accounts that you have not issued certificates to. (2) Certificate issuance events (Event 4887) for privileged accounts from non-standard requesting machines or service accounts. (3) New certificate enrollment in templates that have broad enrollment rights, especially from workstations rather than servers. (4) Certipy or Certify tool signatures in EDR telemetry: LDAP queries for pKICertificateTemplate objects from user workstations. If you find unexpected certificates in your CA database issued to privileged accounts, treat it as a confirmed compromise.

What is StrongCertificateBindingEnforcement and why does it matter?

StrongCertificateBindingEnforcement is a domain controller registry setting that controls how Kerberos PKINIT validates the mapping between a certificate and a user account. In full enforcement mode (value 2), the domain controller requires that the certificate contain the user's SID in a specific extension, preventing an attacker from using a certificate issued for one account to authenticate as another. This closes the ESC9 and ESC10 vulnerability classes. Microsoft has been rolling out enforcement via Windows Updates, but many organizations remain on compatibility mode (value 1) due to concerns about certificate compatibility. Audit your templates for proper SID extension inclusion, then set enforcement to value 2.

Should AD CS be included in our regular penetration testing scope?

Yes, and most organizations are not currently doing this. AD CS assessment requires specific tooling (Certipy, BloodHound with the AD CS data collector) and knowledge of the ESC technique taxonomy that many generalist penetration testers may not have. Specify AD CS enumeration and escalation testing explicitly in your pentest statement of work. At minimum, run Certipy internally each quarter as a self-assessment. The combination of BloodHound (for AD attack paths) and Certipy (for certificate attack paths) gives the most complete picture of your AD privilege escalation risk. Most red teams that include AD CS scope find at least one exploitable ESC vulnerability in their first assessment.

Sources & references

  1. SpecterOps: Certified Pre-Owned (AD CS Attack Research)
  2. Certipy: AD CS Enumeration and Exploitation Tool
  3. Palo Alto Unit 42: Inside AD CS Escalation
  4. Mandiant M-Trends 2026
  5. Microsoft AD CS Security Guidance

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author
Eric BangCISSP

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.

View profile →LinkedIn
Back to all briefings
Share
Subscribe for Updates
Active DirectoryAD CSCertificate ServicesPrivilege EscalationPKI SecurityESC1CertipyRansomware Defense
Free Brief

The Mythos Brief is free.

AI that finds 27-year-old zero-days. What it means for your security program.

Joins Decryption Digest. Unsubscribe anytime.

Related Questions — Answer Hub

Ransomware — practitioner Q&AIdentity and Access Management — practitioner Q&ACryptography and Encryption — practitioner Q&A
Daily Briefing

Get briefings like this every morning

Actionable threat intelligence for working practitioners. Free. No spam. Trusted by 50,000+ SOC analysts, CISOs, and security engineers.

Unsubscribe anytime.

Mythos Brief

Anthropic's AI finds zero-days your scanners miss.