Skip to main content
Support

AD CS ESC1 — Certificate Template Abuse

Forging Identity Through Misconfigured Certificates

Exploit a misconfigured certificate template to request a certificate as Domain Admin — no password cracking, no lateral movement, just ask the CA nicely.

Advanced~7 minT1649
Prerequisites:Any domain user accountNetwork access to the Certificate AuthorityCertipy or Certify.exe for enumeration and exploitation
1

Enumerate Vulnerable Certificate Templates

AD CS ESC1 — Certificate Template Abuse — Step 1/4
┌──(kali)-[~/tools] └─$

Click or press Enter to skip

Step 1: Find Misconfigured Templates

Certipy scans all certificate templates and identifies dangerous misconfigurations. The "UserVPN" template is vulnerable to ESC1 — the most critical AD CS attack.

We are checking the "certificate templates" — think of them as forms for requesting ID badges. We found a form that lets anyone write in any name they want, and the badge office stamps it without checking.

Detection Events
4886Certificate request received
Attack Flow
Find vulnerable template
Attacker (jsmith)
CORP-CA
DC01
Request
Response
Attack
Data
Back to all scenarios
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org