Skip to main content
Support
AdvancedT1649

AD CS Abuse (Certificate Attacks)

Active Directory Certificate Services can issue certificates that work like passwords — misconfigured templates let attackers forge certificates to become Domain Admin.

Active Directory Certificate Services (AD CS) is Microsoft's built-in system for issuing digital certificates. These certificates can be used to log into AD, encrypt emails, and sign code. AD CS was largely ignored by attackers until 2021 when security researchers at SpecterOps published "Certified Pre-Owned," revealing that most AD CS deployments have dangerous misconfigurations. The most common vulnerability (ESC1) allows any user to request a certificate as a Domain Admin by exploiting certificate templates that let the requester specify who the certificate should be issued to. Since certificates are valid for one to two years by default, this attack provides long-lasting access that survives password resets.

Imagine a government passport office where the clerk stamps and signs any application that comes through the door without verifying the applicant's identity. An attacker fills in the application with the Prime Minister's name, gets it stamped, and now has a valid passport as the PM. AD CS works the same way: when certificate templates are misconfigured, any user can request a certificate with someone else's identity — and that certificate authenticates to Active Directory just like a password.

Try It Yourself

Key Takeaways

  1. A single misconfigured certificate template (ESC1) can give any user Domain Admin access.
  2. Certificates survive password resets and are valid for 1-2 years by default.
  3. ESC8 combined with PetitPotam creates a full chain from unauthenticated access to domain compromise.
  4. Certipy and Certify are the standard tools for auditing and exploiting AD CS.
  5. ESC9-ESC14 expand the attack surface further — weak certificate mapping and OID group links introduce impersonation and privilege escalation paths.
  6. Most organizations have never audited their AD CS templates — the vulnerability rate is extremely high.
Why Should I Care?

AD CS is one of the most underappreciated attack surfaces in Active Directory. SpecterOps found that nearly every organization they tested had at least one exploitable AD CS misconfiguration.

Defense Recommendations

Audit all certificate templates, remove ENROLLEE_SUPPLIES_SUBJECT where not needed, enable EPA on web enrollment, and monitor certificate issuance.

  1. 1Audit templates immediately: certipy find -vulnerable or Certify.exe find /vulnerable.
  2. 2Remove CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT from templates that do not require it.
  3. 3Require manager approval (CT_FLAG_PEND_ALL_REQUESTS) on all templates allowing authentication EKUs.
  4. 4Enable Extended Protection for Authentication (EPA) on all AD CS web enrollment endpoints to mitigate ESC8 and ESC11.
  5. 5Set StrongCertificateBindingEnforcement to 2 (Full Enforcement) to mitigate ESC9/ESC10 weak mapping attacks.
  6. 6Consider disabling the web enrollment endpoint (/certsrv/) entirely if not needed.
  7. 7Monitor Event IDs 4886/4887 for certificate requests with unusual SubjectAltName values.
  8. 8Restrict ManageCA and ManageCertificates rights to dedicated CA administrators only.

Related Topics

NTLM Relay AttacksDCSync AttackAD Persistence Techniques
Sources
DCSync Attack
Golden & Silver Ticket Attacks
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org