ADCS ESC1: How a Misconfigured Template Hands You Domain Admin in 2026

Last updated: April 26, 2026

Active Directory Certificate Services (ADCS) is one of the most consequential — and most overlooked — components in a Windows estate. Get a single template wrong, and an unprivileged user can request a certificate that authenticates as Domain Administrator. This is ESC1, the first and still most common ADCS misconfiguration we find on Indian enterprise pentests. This article walks through what ESC1 is, why it persists, how to find it, how to exploit it, and what to do about it on both sides of the engagement.

The five-minute version

A certificate template in Active Directory Certificate Services lets a user request a certificate. If that template has all four of the following properties:

• Allows enrolment by a low-privilege group (Domain Users, Authenticated Users)
• Has EnrolleeSuppliesSubject enabled (the requestor specifies who the certificate is for)
• Has Client Authentication EKU (or Smart Card Logon, PKINIT Client Authentication, or “Any Purpose”)
• Manager approval is NOT required

…then any user in the eligible enrolment group can request a certificate that says “I am the Domain Administrator.” That certificate, when used to authenticate, gives the requester domain-admin-equivalent access. This is ESC1.

How to think about it

Most pentesters approach ADCS as “another Windows service to enumerate.” That is the wrong frame. ADCS is an identity assertion mechanism — when a CA signs a certificate, it is making a claim about who the holder is, and Active Directory trusts that claim implicitly. The certificate template controls what claims can be made, by whom.

The right mental model: think of certificate templates as IAM policies. A template that lets you say “I am anyone” is a wildcard sudoers entry. The CA is the auditor that just says yes.

So when you find ADCS in scope, you are not looking for “a vulnerability.” You are looking for templates whose policies are too permissive — same way you would look at AWS IAM roles for over-broad principals.

How to find ESC1 (and the other ESCs)

The single tool every red-teamer should know in 2026 is Certipy. It enumerates ADCS state, identifies vulnerable templates, and exploits them — all from a Linux box, no Windows session needed.

certipy find -u [email protected] -p 'Welcome123' -dc-ip 10.0.0.5 -vulnerable -enabled

Certipy walks the AD configuration partition, pulls every certificate template, and checks each against the known ESC techniques (ESC1 through ESC16 as of 2026). Output flags exact templates with their misconfiguration class, eligible enrolment groups, and one-line exploitation commands.

What to look for in the output:

• 'ESC1' in the [!] Vulnerabilities section of any template
• Eligible Principals containing groups your user is a member of (Domain Users, Authenticated Users, or any custom group)
• Authorities (CAs) where the template is enabled

If you see this, you have a path. Time to exploit.

Exploit walkthrough

Assume Certipy flagged a template called VulnTemplate as ESC1, enabled on CA corp-CORPDC-CA, eligible to Domain Users. You are user alice. You want to authenticate as the domain administrator Administrator.

Step 1: Request a certificate impersonating Administrator

certipy req \
  -u [email protected] -p 'Welcome123' \
  -ca 'corp-CORPDC-CA' -target dc.corp.local \
  -template 'VulnTemplate' \
  -upn '[email protected]'

Because the template has EnrolleeSuppliesSubject, the CA happily issues a certificate where the User Principal Name (UPN) is the Domain Administrator’s. Certipy saves the certificate as administrator.pfx.

Step 2: Use the certificate to authenticate via PKINIT

certipy auth -pfx administrator.pfx -dc-ip 10.0.0.5

Certipy uses PKINIT (the Kerberos-with-certificate authentication flow) against the domain controller. The DC validates the certificate, sees the UPN claim, and issues a TGT for Administrator. Certipy outputs the NT hash of the Administrator account in the process — a side effect of the modern PKINIT implementation.

You now have:

• A Kerberos TGT for the Domain Administrator
• The NT hash of the Administrator account

From here, the rest is mechanical: secretsdump.py to dump NTDS.dit, psexec.py for shell, BloodHound to verify the kingdom is yours.

Why ESC1 still works in 2026

The first ESC paper from SpecterOps was published in 2021. Microsoft has issued advisories. Every modern AD defender knows the term. And yet — almost every Indian enterprise environment we audit has at least one ESC1-vulnerable template. Why?

• Templates were created years ago by long-departed admins. The Active Directory PKI was set up to issue certificates to a specific application. The team has changed three times since. Nobody owns the template.
• Auditors do not look at certificate templates. ISO 27001 audits, RBI inspections, internal reviews — none of the standard checklists ask “list every certificate template and confirm none allow EnrolleeSuppliesSubject for low-privilege groups.”
• Built-in templates are not vulnerable, so admins assume the system is fine. ESC1 lives in custom templates, often created by a vendor product (a backup tool, an MFA solution, a legacy line-of-business app).
• Disabling a template breaks production. The template was created for a reason. Disabling it without replacing the dependent workflow is risky — so it stays.

How a defender should approach this

If you operate Active Directory and have ADCS deployed, run Certipy against your own environment now. Treat its output the way you would treat a vulnerability scanner finding on a public asset:

• Inventory. Run certipy find with admin credentials. Save the output. You may have 30 templates; understand what each is for.
• Triage. For each template flagged ESC1 (or any other ESC), identify the business owner. If nobody owns it, it is a candidate for deletion.
• Mitigate. The minimal fix for ESC1 is one of: (a) disable EnrolleeSuppliesSubject on the template, (b) require manager approval for issuance, or (c) restrict enrolment to a tightly-scoped group rather than Domain Users.
• Detect. CA event logs (Event ID 4886, 4887) record certificate issuance. A SIEM use-case that flags certificates issued for high-privilege accounts via low-privilege requestors catches active exploitation.
• Re-test. After remediation, re-run Certipy. The template should no longer be flagged.

Microsoft also released the May 2022 KB5014754 update that introduced strong certificate mapping, which mitigates ESC1 if enforcement mode is enabled. Most enterprises run it in audit mode, which logs but does not block. Move it to enforcement mode after testing.

How to find your next ADCS bug

ESC1 is the gateway. Once you understand certificate templates as policy, you can spot the other ESCs:

• ESC2 / ESC3 — templates that allow Any Purpose or Enrolment Agent EKU, letting you act on behalf of others.
• ESC4 — write access on a template’s DACL means you can flip ESC1 yourself, then exploit.
• ESC6 — CA flag EDITF_ATTRIBUTESUBJECTALTNAME2 globally allows SAN supply, turning every template into ESC1.
• ESC8 — NTLM relay to the CA’s HTTP enrolment endpoint; coerce a machine account, relay, get a certificate as that machine.
• ESC9 / ESC10 / ESC11 — weak certificate-mapping configurations on the DC; the certificate’s UPN is mapped to a different account.
• ESC13 / ESC15 / ESC16 — newer techniques exploiting OID groups, schema v1 templates, and the May 2022 strong mapping changes themselves.

The methodology is the same in each case: enumerate the templates and CA configuration, identify the misconfigured policy, request a certificate that exploits the misconfiguration, authenticate.

If you are testing ADCS for the first time, follow this learning sequence:

1. Read the original SpecterOps “Certified Pre-Owned” white paper end to end. It is the canonical reference.
2. Stand up a lab — Windows Server 2022 DC with ADCS, a vulnerable template, a domain user. Replicate the ESC1 attack chain manually.
3. Run Certipy against the lab in find-mode and exploitation-mode.
4. Switch sides — apply the fix, re-run Certipy, confirm clean.
5. Add the SIEM rule for certificate issuance to high-privilege UPNs and trigger it with a test exploit.

By the time you do this against your fourth or fifth template, ADCS will feel less like a black box and more like a permission system you can reason about. That mental shift is what separates engineers who occasionally find ESC1 by tool from engineers who find ESC4 by reading the schema.

Compliance angle

For Indian regulated entities (BFSI under RBI, capital markets under SEBI CSCRF, healthcare under ABDM), an ESC1 finding is a serious audit issue. RBI Cyber Security Framework Annex II requires identity and access management with least privilege; a template that lets any user issue a Domain Admin certificate violates that principle. SEBI CSCRF’s MITRE ATT&CK alignment maps this attack chain to T1649 (Steal or Forge Authentication Certificates).

If you find ESC1 in your environment during a self-assessment, it is reportable as a high-severity finding to the CISO and (depending on internal policy) to the Audit Committee. Remediation should be tracked in the same ticketing system as other critical vulnerabilities.

The takeaway

ADCS is identity infrastructure. Certificate templates are policy. ESC1 is what happens when policy is too permissive. Run Certipy against your own environment today. The findings will surprise you, and they will be the highest-leverage Active Directory hardening work you do this quarter.