Last updated: April 29, 2026
Active Directory Certificate Services (ADCS) is Microsoft’s enterprise PKI. It issues certificates for user authentication, server TLS, code signing, and SMIME. It’s deployed in most enterprises that use AD. In 2021, SpecterOps published “Certified Pre-Owned,” which catalogued eight attack paths against misconfigured ADCS — ESC1 through ESC8. Most of them remain findable in 2026 because the misconfigurations are operational defaults, not bugs.
Why ADCS is attack-rich
ADCS allows certificate templates to specify who can request what kind of cert for what purpose. Templates have:
- Enroll permissions (who can request)
- Application Policies (what the cert is used for — Client Authentication, Server Authentication, etc.)
- Subject Alternate Name (SAN) options (whether the requester can supply arbitrary SAN)
- Manager approval requirements
- Cert lifetime
Small configuration errors enable privilege escalation. Specifically, if a template allows low-privilege users to enroll for Client Authentication certs with attacker-supplied SAN, the attacker can request a cert with Administrator’s name in the SAN and authenticate as Administrator.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.