Active Directory Certificate Services Under Siege: Attack Vectors & Defense Playbook¶

Certificate Services was never designed to be an attack surface — but in 2026, it is one of the most reliable privilege escalation paths in enterprise Active Directory environments. Misconfigured templates, weak ACLs, and overlooked relay vectors turn ADCS into a golden ticket factory. This post maps the full spectrum of ESC vulnerabilities, walks through a fictional intrusion by the GOLDEN CIPHER threat actor, and delivers a hardening checklist your team can execute this week.

Why ADCS Is the New Attack Surface¶

Most organizations deployed ADCS years ago to support smart card logon, Wi-Fi authentication, or internal TLS — then never revisited the configuration. The result is a sprawling PKI infrastructure where:

Certificate templates grant enrollment to Domain Users by default with no manager approval.
Subject Alternative Name (SAN) specification is enabled on templates that should never allow it.
Web enrollment endpoints are exposed without Extended Protection for Authentication (EPA).
Certificate revocation is rarely automated, leaving compromised certificates valid for months or years.

Unlike password theft, certificate abuse survives password resets, bypasses MFA in many configurations, and generates minimal telemetry in default logging setups. A single misconfigured template can grant an attacker persistent domain admin access with a validity period measured in years.

For foundational ADCS concepts and earlier ESC coverage, see our April deep dive on ADCS attack paths and Chapter 16: Active Directory Security.

The ESC Vulnerability Landscape¶

The research community has identified thirteen distinct escalation paths (ESC1 through ESC13) targeting ADCS components. Below is a consolidated reference.

High-Impact Escalations (ESC1–ESC8)¶

ESC	Vector	Core Risk
ESC1	Enrollee-supplied SAN on a Client Auth template	Impersonate any user, including Domain Admins
ESC2	Template with "Any Purpose" or no EKU restriction	Broad certificate usage enables authentication as any principal
ESC3	Enrollment agent template abuse	Request certificates on behalf of other users via a two-stage chain
ESC4	Weak template ACLs	Modify a template to introduce ESC1/ESC2 conditions
ESC5	Weak CA server object ACLs	Take control of the CA object itself via AD permissions
ESC6	`EDITF_ATTRIBUTESUBJECTALTNAME2` flag on the CA	Any certificate request can include an arbitrary SAN regardless of template settings
ESC7	Weak CA security descriptor	Abuse ManageCA or ManageCertificates permissions to approve pending requests or alter CA config
ESC8	HTTP-based enrollment relay (NTLM relay to web enrollment)	Relay machine account authentication to the CA web endpoint and obtain a certificate

Emerging Escalations (ESC9–ESC13)¶

The research community continues to expand the taxonomy:

ESC9 / ESC10 — Certificate mapping bypass via weak mapping configurations (StrongCertificateBindingEnforcement and CertificateMappingMethods registry values).
ESC11 — NTLM relay to the ICertPassage RPC interface (IF_ENFORCEENCRYPTICERTREQUEST not enabled).
ESC12 — CA private key stored in a misconfigured DPAPI-protected location or HSM with weak access controls.
ESC13 — Issuance policy OID linked to a group via an OID-mapped application policy, granting group membership upon certificate enrollment.

ESC13 is particularly noteworthy because it turns certificate enrollment into an implicit group membership grant — a concept many defenders have not yet incorporated into their threat models.

For advanced identity attack chains that combine ADCS with Kerberos delegation and shadow credentials, see Chapter 17: Advanced Identity Attacks.

Attack Chain Walkthrough: Operation GOLDEN CIPHER¶

The following fictional scenario illustrates how the GOLDEN CIPHER threat actor compromised Meridian Aerospace (meridian-aero.example.com) using a multi-stage ADCS attack chain.

Fictional Scenario

All organizations, domains, IPs, and credentials below are entirely synthetic. This walkthrough is for educational and defensive purposes only.

Stage 1 — Initial Access¶

GOLDEN CIPHER gained initial access via a spear-phishing email targeting j.nakamura@meridian-aero.example.com, a junior engineer in the satellite communications division. The payload established a C2 beacon to 198.51.100.47 over HTTPS.

Stage 2 — Reconnaissance¶

From the compromised workstation (WS-ENG-0142), the operator enumerated ADCS infrastructure:

# Synthetic Certify output — enumeration of vulnerable templates
[*] Enterprise CA: MERIDIAN-CA01 (ca01.meridian-aero.example.com)
[*] Template: RemoteAccessVPN
    Enrollment Rights: MERIDIAN\Domain Users
    CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT: True
    EKU: Client Authentication
    Manager Approval: Disabled
    Validity: 1 year
    [!] ESC1 — Enrollee can supply SAN with Client Auth EKU

The RemoteAccessVPN template was provisioned three years earlier for a VPN migration project and never decommissioned.

Stage 3 — Privilege Escalation via ESC1¶

The operator requested a certificate with a SAN of admin.t.reeves@meridian-aero.example.com (the domain admin account) and used PKINIT to obtain a TGT:

# Synthetic — certificate request with arbitrary SAN
[*] Certificate enrolled successfully
    Subject: CN=j.nakamura
    SAN: admin.t.reeves@meridian-aero.example.com
    Thumbprint: A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6A1B2
    Valid: 2026-07-01 to 2027-07-01

[*] TGT obtained for admin.t.reeves@MERIDIAN-AERO.EXAMPLE.COM

Stage 4 — Persistence & Objectives¶

With domain admin credentials, GOLDEN CIPHER deployed a Golden Certificate by extracting the CA private key, granting indefinite persistence independent of password changes or account modifications. They exfiltrated engineering documents to 203.0.113.88 before detection.

Total dwell time: 6 hours from initial access to domain admin.

Detection Strategies¶

Effective ADCS monitoring requires enabling certificate lifecycle auditing and correlating enrollment events with authentication patterns.

KQL — Suspicious Certificate Enrollment with SAN Mismatch¶

SecurityEvent
| where EventID == 4887
| extend RequestedSAN = extract("Subject Alternative Name.*?=(.*?)\\s", 1, EventData)
| extend Requester = extract("Requester.*?=(.*?)\\s", 1, EventData)
| where RequestedSAN != "" and RequestedSAN !contains Requester
| project TimeGenerated, Computer, Requester, RequestedSAN, TemplateName
| sort by TimeGenerated desc

KQL — Certificate-Based Authentication from Unusual Source¶

SecurityEvent
| where EventID == 4768
| where CertThumbprint != ""
| summarize AuthCount = count(), DistinctIPs = dcount(IpAddress) by TargetUserName, CertThumbprint, bin(TimeGenerated, 1h)
| where DistinctIPs > 3 or AuthCount > 50

SPL — ADCS Web Enrollment Relay Indicators (ESC8)¶

index=windows sourcetype="WinEventLog:Security" EventCode=4768 CertificateThumbprint!=""
| eval src_match=if(match(src_ip, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)"), "internal", "external")
| stats count by src_ip, Account_Name, CertificateThumbprint, src_match
| where count > 5
| sort -count

SPL — New Certificate Template Creation or Modification¶

index=windows sourcetype="WinEventLog:Security" (EventCode=4899 OR EventCode=4900)
| table _time, Account_Name, TemplateName, TemplateContent
| sort -_time

Enable the Right Logs

ADCS certificate enrollment auditing is not enabled by default. You must configure audit policy on the CA server: certutil -setreg CA\AuditFilter 127 and enable Object Access > Audit Certification Services in Group Policy.

Defensive Hardening Checklist¶

Implement these ten controls to dramatically reduce your ADCS attack surface:

Audit every certificate template — Remove CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT from any template that does not have a documented, approved business need for SAN specification.
Restrict enrollment rights — Replace Domain Users and Authenticated Users enrollment permissions with dedicated security groups scoped to the specific use case.
Require manager approval on sensitive templates — Any template with Client Authentication, Smart Card Logon, or "Any Purpose" EKU should require CA manager approval.
Disable the ESC6 flag — Run certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2 on every CA and restart the CertSvc service.
Enforce EPA on web enrollment — Enable Extended Protection for Authentication on all IIS-hosted ADCS enrollment endpoints to block NTLM relay (ESC8).
Harden CA server ACLs — Restrict ManageCA and ManageCertificates permissions to a dedicated PKI admin group. Audit the CA security descriptor quarterly.
Enable strong certificate mapping — Set StrongCertificateBindingEnforcement = 2 (Windows Server 2022+) to mitigate ESC9/ESC10 mapping bypass attacks.
Monitor certificate lifecycle events — Forward EventIDs 4886 (request), 4887 (issuance), 4888 (denial), 4899/4900 (template changes) to your SIEM with alerting rules.
Decommission unused templates — Conduct a quarterly review of published templates. Remove any template that has not been used in 90 days unless it has a documented exception.
Protect the CA private key — Store CA keys in an HSM or TPM-backed storage. If software-based, restrict DPAPI access to the CA service account only.

Purple Team Testing Recommendations¶

Validating your ADCS defenses requires controlled testing of each ESC path against your production templates and CA configuration. We recommend the following approach:

Use the Nexus Purple Team framework to structure ADCS exercises. The Purple Team Exercise Library includes certificate abuse scenarios with defined red and blue objectives.
Test ESC1 first — it remains the most common and highest-impact misconfiguration. Validate that your detection queries fire on synthetic SAN mismatch requests.
Simulate ESC8 relay attacks in a lab environment to confirm EPA enforcement on web enrollment endpoints.
Validate certificate revocation workflows — can your team revoke a compromised certificate and confirm that PKINIT authentication fails within your SLA?
Map ADCS exercises to ATT&CK — ESC1 maps to T1649 (Steal or Forge Authentication Certificates). Ensure your detection coverage spans the full certificate abuse kill chain.

For red team methodology and structured ADCS testing procedures, see Chapter 45: Active Directory Red Teaming.