Skip to content

ADCS Attack Paths & Defenses

Active Directory Certificate Services (ADCS) remains one of the most underestimated attack surfaces in enterprise environments. Misconfigured certificate templates can grant domain-level privilege escalation in minutes — often without triggering a single alert. This post breaks down the most critical ADCS escalation paths and gives SOC teams the detection queries and hardening steps to shut them down.

Why ADCS Matters in 2026

ADCS has been a staple of enterprise PKI for over two decades, yet most organizations still treat it as "set and forget" infrastructure. The research community's continued work on escalation paths (ESC1 through ESC13 and counting) has made ADCS exploitation a standard phase in red team engagements and real-world intrusions alike.

The core problem: certificate templates are often configured with overly permissive enrollment rights and dangerous settings that allow attackers to impersonate any user — including Domain Admins — by requesting a certificate with an arbitrary Subject Alternative Name (SAN).

Unlike password-based attacks, certificate abuse is stealthy. Certificates are valid for months or years, do not trigger password-change alerts, and survive password resets. An attacker who obtains a certificate for a privileged account maintains persistent access until that certificate is explicitly revoked.

Key ADCS Attack Paths

1. ESC1 — Misconfigured Certificate Template with SAN

The most common and most dangerous misconfiguration. A certificate template is vulnerable to ESC1 when:

  • Enrollee supplies the Subject Alternative Name (SAN) — the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is set
  • Low-privileged users (e.g., Domain Users) have enrollment rights
  • Manager approval is not required
  • The certificate enables Client Authentication or Smart Card Logon EKU

Synthetic example — vulnerable template on ca01.corp.example.com:

Template: VulnWebServer
Schema Version: 2
Enrollment Rights: CORP\Domain Users
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT: True
Manager Approval: Disabled
EKU: Client Authentication, Server Authentication
Validity: 2 years

An attacker enrolled in CORP\Domain Users requests a certificate with SAN=administrator@corp.example.com and authenticates as the Domain Admin via PKINIT.

Defensive Takeaway

Audit every certificate template for the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag. If a template allows SAN specification and grants enrollment to broad groups and includes Client Authentication EKU, it is exploitable. Remove the SAN flag or restrict enrollment to a dedicated security group.

2. ESC4 — Vulnerable Certificate Template ACLs

When low-privileged users have write permissions (WriteDacl, WriteOwner, WriteProperty) on a certificate template object in Active Directory, they can modify the template to introduce ESC1 conditions — effectively creating a misconfiguration on demand.

Detection Focus:

  • Monitor ACL changes on CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=example,DC=com
  • Alert on WriteProperty or WriteDacl events targeting certificate template objects (Event ID 5136)
  • Cross-reference with enrollment events (Event ID 4887) within a short time window

3. ESC8 — NTLM Relay to ADCS Web Enrollment

If the ADCS web enrollment endpoint (https://ca01.corp.example.com/certsrv/) does not enforce HTTPS with Extended Protection for Authentication (EPA), an attacker can relay NTLM authentication from a machine account to the CA and obtain a certificate for that machine. Combined with S4U2Self, this yields access as any user on that machine.

ESC Path Misconfiguration Impact Difficulty
ESC1 SAN flag + broad enrollment Domain Admin impersonation Low
ESC4 WriteDacl on template Template weaponization Medium
ESC6 EDITF_ATTRIBUTESUBJECTALTNAME2 on CA Any template becomes ESC1 Low
ESC8 HTTP enrollment without EPA Machine account certificate theft Medium

4. ESC6 — The CA-Level SAN Override

When the CA itself has the EDITF_ATTRIBUTESUBJECTALTNAME2 flag enabled, every template becomes effectively vulnerable to SAN abuse — regardless of the individual template's CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT setting. This is a single registry value that turns the entire PKI into an escalation vector.

Check for ESC6 on ca01.corp.example.com:

certutil -getreg policy\EditFlags

If the output includes EDITF_ATTRIBUTESUBJECTALTNAME2, the CA is vulnerable. Remediation: remove the flag with certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2 and restart the CA service.

ATT&CK Technique Spotlight

T1649 — Steal or Forge Authentication Certificates

T1649 covers adversary techniques for abusing certificate-based authentication. This includes requesting certificates with manipulated SANs, forging certificates using stolen CA keys, and using tools like Certify and Certipy to automate ADCS exploitation.

Why it matters: Certificate-based persistence survives password resets, MFA changes, and account lockouts. A stolen or forged certificate is valid until its expiration date or until explicitly revoked — and most organizations do not have certificate revocation monitoring in their SOC playbooks.

Detection Query 1 — Certificate Enrollment with SAN (ESC1/ESC6):

SecurityEvent
| where EventID == 4887
| extend TemplateName = tostring(EventData.TemplateName)
| extend RequesterName = tostring(EventData.RequesterName)
| extend SubjectAltName = tostring(EventData.SubjectAltName)
| where SubjectAltName != "" and SubjectAltName !contains RequesterName
| project TimeGenerated, Computer, RequesterName, TemplateName,
          SubjectAltName
| sort by TimeGenerated desc

index=wineventlog sourcetype=WinEventLog:Security EventCode=4887
| where isnotnull(Subject_Alternative_Name)
    AND Subject_Alternative_Name!=""
| eval mismatch=if(like(Subject_Alternative_Name,
    "%".Requester_Name."%"), 0, 1)
| where mismatch=1
| table _time host Requester_Name Certificate_Template
        Subject_Alternative_Name

Detection Query 2 — Certificate Template Modification (ESC4):

SecurityEvent
| where EventID == 5136
| where ObjectClass == "pKICertificateTemplate"
| extend ModifiedAttribute = tostring(EventData.AttributeLDAPDisplayName)
| extend ModifiedBy = tostring(EventData.SubjectUserName)
| where ModifiedAttribute in ("msPKI-Certificate-Name-Flag",
    "msPKI-Enrollment-Flag", "msPKI-RA-Signature",
    "pkiExtendedKeyUsage", "ntSecurityDescriptor")
| project TimeGenerated, Computer, ModifiedBy, ObjectDN,
          ModifiedAttribute
| sort by TimeGenerated desc

index=wineventlog sourcetype=WinEventLog:Security EventCode=5136
    ObjectClass="pKICertificateTemplate"
| search AttributeLDAPDisplayName IN
    ("msPKI-Certificate-Name-Flag",
     "msPKI-Enrollment-Flag", "msPKI-RA-Signature",
     "pkiExtendedKeyUsage", "ntSecurityDescriptor")
| table _time host SubjectUserName ObjectDN
        AttributeLDAPDisplayName AttributeValue

Recommendations for SOC Teams

  1. Audit all certificate templates immediately — Use certutil -v -dstemplate or open-source tooling to enumerate every template. Flag any template where CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is set, enrollment is granted to broad groups, and Client Authentication EKU is present.

  2. Disable EDITF_ATTRIBUTESUBJECTALTNAME2 on every CA — This single flag is the highest-impact quick win. Check with certutil -getreg policy\EditFlags and remove the flag if present.

  3. Enforce HTTPS with EPA on all ADCS web enrollment endpoints — Disable HTTP enrollment entirely. Enable Extended Protection for Authentication on the IIS site hosting /certsrv/ to prevent NTLM relay (ESC8).

  4. Monitor Event IDs 4886, 4887, and 5136 — Certificate request events (4886/4887) and directory object modification events (5136) on certificate template objects are the core telemetry for ADCS abuse detection. Forward these to your SIEM and build alerting rules using the queries above.

  5. Implement certificate revocation monitoring — Add CRL and OCSP monitoring to your SOC dashboards. Track certificate lifetimes and alert on certificates issued to privileged accounts outside of approved enrollment workflows.

  6. Restrict enrollment rights — Replace Domain Users and Authenticated Users enrollment permissions with dedicated security groups. Apply the principle of least privilege to every template.

Resources