AD CS Misconfigurations: ESC1 Through ESC11 in Production

Cybersecurity

Active Directory Certificate Services has become the most reliable path to Domain Admin on internal engagements. We cover what certipy finds, how to detect it, and the template hardening that closes it.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 19, 2024 · 9 min read

When SpecterOps published Certified Pre-Owned in 2021, the security industry rediscovered that ADCS templates are a privilege escalation surface. Three years later, ESC1 still works on roughly half the AD CS deployments we test, because the template that ships with Enrollee Supplies Subject and Client Authentication EKU is rarely cleaned up after legacy rollouts.

How attackers find this

certipy is the canonical tool for AD CS abuse. It enumerates templates, identifies the misconfiguration class (ESC1 through ESC11+), and exploits in a single command.

• certipy find -u user@domain -p password -dc-ip 10.0.0.1 -vulnerable dumps every ADCS template, marks vulnerable ones, and outputs JSON for further analysis.
• ESC1: a template with Enrollee Supplies Subject and Client Authentication EKU enrollable by Domain Users. Exploit: certipy req -template VulnTemplate -upn administrator@domain -ca CA-NAME. The resulting cert authenticates as Domain Admin.
• ESC8: ADCS web enrollment over HTTP without EPA. Combined with PetitPotam coercion, the attacker relays a domain controller's NTLM auth to the web enrollment endpoint and gets a DC computer cert. With that, DCSync is one command away.
• ESC11: NTLM relay against the ICPR (RPC) interface when IF-ENFORCEENCRYPTICERTREQUEST is disabled. Same outcome, different protocol.
• Certipy's auth command then turns the certificate into a TGT and NT hash via PKINIT, completing the chain to Domain Admin.

The reason this is so reliable is that certificate authentication maps to a user account based on attributes inside the certificate, and a misconfigured template lets the requester choose those attributes. If the template lets you say I am Administrator and signs the cert, AD believes you.

What defenders see

ADCS auditing is off by default on the CA itself. Turning it on is the first prerequisite for detection.

• On the CA: enable Issued and revoked certificates and Failed certificate requests in CA auditing. This produces 4886 (request received) and 4887 (request approved) events.
• Hunt 4887 events where the SubjectAltName contains a high-privilege UPN but the requesting user is not that user. ESC1 abuse always shows the discrepancy.
• On domain controllers, 4768 (TGT request) with a certificate-based pre-authentication immediately after a 4887 issued cert is the PKINIT signature. Correlate by time and SAN.
• For ESC8 detection, watch IIS logs on the CA web enrollment endpoint for POSTs from domain controller IP addresses. DCs should never be the client of web enrollment.

Remediation

Most ADCS findings come down to template configuration and CA-level flags. The fix is precise but requires a per-template review.

1. Audit every template: certipy find with -vulnerable -enabled. For each flagged template, decide if it is needed. Disable unused templates entirely.
2. On templates that must allow Subject in Request, require manager approval (CT_FLAG_PEND_ALL_REQUESTS). This breaks ESC1 because the cert cannot be issued without a human approval step.
3. Restrict Enroll permission to specific groups, never Domain Users or Authenticated Users. The template ACL is the primary access control.
4. On the CA, remove the EDITF_ATTRIBUTESUBJECTALTNAME2 flag. certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2 then restart certsvc. This kills ESC6.
5. For ESC8, disable NTLM on the web enrollment endpoint and require HTTPS with EPA. Better: turn off web enrollment if no one uses it. Many environments enabled it once in 2014 and never touched it since.
6. Apply KB5014754 in enforcement mode so that certificate-based authentication strongly maps SID to certificate via the szOID_NTDS_CA_SECURITY_EXT extension. This blocks SAN spoofing entirely.
7. Move the CA into tier-0. The Issuing CA computer object is as sensitive as a domain controller and should be treated identically: PAW-only admin access, dedicated subnet, hardware-backed CA key.

After a clean ADCS hardening pass, certipy find should return zero vulnerable templates. We have done dozens of these. The work is mostly archaeological: figuring out which 2014 application owner enabled the SmartcardLogon template with bad ACLs, and whether anything still depends on it.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.