Active Directory Certificate Services (ADCS) is how Windows issues certificates β for user authentication, computer authentication, web services, VPN, code signing. It’s also, since SpecterOps’s 2021 “Certified Pre-Owned” research, one of the fastest paths from user to Domain Admin. This module covers the attack classes (ESC1-ESC8+) and defences.
ADCS primer
- Certification Authority (CA) β issues certificates
- Certificate Template β defines what a specific cert can be used for (auth, email, code signing)
- Enrollment β user or computer requests a cert; CA signs if policy allows
- Authentication β user presents cert; service validates signature chain
Certificate authentication is STRONG: no password hashes, immune to NTLM relay, tied to the cert holder’s identity. That’s what makes it attractive β and what makes template misconfigurations so valuable to attackers.
ESC attack classes (selected)
ESC1 β Template allows client authentication + subject specified by requester
If a certificate template:
π Advanced Module Β· Pro Tier
Continue reading with Pro tier (βΉ4,999/year)
You've read 30% of this module. Unlock the remaining deep-dive, quiz, and every other Advanced/Expert module.
136+ modulesAll levels up to this tier
20-question quizzesUnlimited retries with explanations
Completion certificatesShareable on LinkedIn
4 more sections locked below