By Ethan Hudson, Structured Senior Security Engineer —

Active Directory Certificate Services (AD CS) is a powerful enterprise Public Key Infrastructure (PKI) implementation leveraged by many organizations to issue and manage digital certificates. While AD CS can be a cornerstone for authentication, encryption, and overall network trust, misconfigurations in certificate templates and related services can expose dangerous privilege escalation vectors.

Understanding AD CS Privilege Escalation: Deep Dive into ESC1, ESC6 and ESC8

This post will examine three commonly exploited AD CS misconfigurations referred to as ESC1, ESC6 and ESC8. Throughout the post you will learn about their impact, attack paths, and actionable recommendations for prevention. These vulnerabilities are regularly abused by threat actors to gain Domain Administrative privileges from a low-privileged user or computer account.

Why AD CS Misconfigurations Are So Dangerous

Commonly, in an Active Directory environment, privilege escalation requires multiple chained vulnerabilities or user missteps. However, a poorly configured AD CS environment can collapse these barriers entirely. A single misconfigured certificate template or authority can enable a threat actor to request a certificate that grants them authentication as any user, including Domain Administrators, without triggering immediate detection.

Once issued, these certificates can be used with tools such as Certipy to request Kerberos tickets or perform pass-the-certificate attacks, effectively bypassing traditional credential protections and persistence controls.

ESC1: Misconfigured Certificate Templates with Dangerous Enrollment Rights

The Issue

ESC1 occurs when a certificate template allows enrollment for a broad group containing low-privileged users and contains settings enabling authentication as arbitrary accounts. The dangerous combination stems from templates configured with the Client Authentication Extended Key Usage (EKU) and ENROLLEE_SUPPLIES_SUBJECT flags. These allow the certificate requester to specify a Subject Alternative Name (SAN), effectively choosing which account the certificate authenticates as.

Attack Path

1. A threat actor compromises a low-privileged account. Following this compromise, they can identify vulnerable templates (via ‘Certipy find’) which contains a group to which the user has membership among the enrollees.

2. In this example, the broad group is “Domain Computers.” To access a domain computer, the threat actor can create a new domain computer using a compromised user as long as the Machine Account Quota (MAQ) value is >0.

3. With access to a computer account, the threat actor requests a certificate with the SAN set to a privileged account, such as “administrator@structured.com.”

4. Once issued, the threat actor authenticates as the privileged account, gaining administrative access.

Suggested Remediation

• Remove ENROLLEE_SUPPLIES_SUBJECT from any template accessible to non-privileged users.
• Restrict enrollment permissions to secure groups that require them.
• Review EKUs and remove Client Authentication unless explicitly necessary.
• Routinely audit existing templates with tools such as Certipy for potential misconfigurations.

ESC6: Vulnerable Certificate Authority Access Control

The Issue

ESC6 occurs when three factors line up:

1. The CA is configured to auto-issue requests (request disposition set to Issue),
2. The Certificate Authority (CA) sets user-supplied SAN flag to enable,
3. An over-permissive group or low-privileged user is granted enrollment rights.

In that configuration, a low-privileged user can request a certificate that names (via the SAN) an arbitrary account, including privileged accounts. The CA will automatically issue it without human approval. The result is immediate, hands-off issuance of certificates that can be used for authentication as the targeted account.

How This Differs From, and Why It’s Similar To, ESC1

ESC6 is closely related to ESC1: Both rely on a user being able to supply a SAN and having enrollment rights. The key difference is that ESC6 abuses CA-level auto-issuance rather than a vulnerable template. The CA level behavior makes exploitation faster and more scalable.

Attack Path

1. A threat actor compromises a low-privileged account. Following this compromise, they can identify vulnerable Certificate Authorities (via ‘Certipy find’) which contains a group to which the user has membership among the enrollees.

2. The threat actor requests a certificate with the SAN set to a high-privilege account, such as “administrator@structured.com.”

3. Because the CA’s request disposition is set to Issue, the request is automatically issued with no administrative intervention.

4. Once issued, the threat actor authenticates as the privileged account, gaining administrative access.

Suggested Remediation

• Avoid setting request disposition to Issue for Certificate Authorities that are reachable by non-privileged users.
• Configure Issuance Requirements to ensure that requests are manually validated and approved.
• Remove user-supplied SAN options from Certificate Authorities that contain non-privileged users in the enrollees.
• Routinely audit existing templates with tools such as Certipy for potential misconfigurations.

ESC8: NTLM Relay Attacks in AD CS Enrollment

The Issue

ESC8 targets a CA which is configured to auto-issue requests (request disposition set to Issue), and has enabled Web Enrollment endpoints. With these endpoints available, threat actors can perform NTLM relay attacks to request certificates for domain users and computers, including Domain Controllers.

Attack Path

1. A threat actor compromises a low-privileged account. Following this compromise, they can identify vulnerable Certificate Authorities (via ‘Certipy find’) which enable Web Enrollment, and set Request Disposition to Issue.

2. The threat actor sets up an NTLM relay against the vulnerable web enrollment endpoint.

3. The victim is coerced into authenticating (e.g., via SMB or HTTP requests). Commonly, coercion attack(s) can be performed against highly privileged Domain Controllers.

4. The relayed authentication is used to request a Client Authentication certificate for the targeted endpoint. Allowing the threat actor to retrieve a valid certificate for the Domain Controller.

5. Once issued, the threat actor authenticates as the Domain Controller and performs a Delegation Attack to escalate privileges of a controlled account. In this example, the Domain Controller is used to create a new computer account, and Delegation Rights are applied which allow the created account to impersonate any user in the domain.

6. With rights modified, the threat actor impersonates a privileged account, gaining administrative access.

Suggested Remediation

• Avoid setting request disposition to Issue for Certificate Authorities that are reachable by non-privileged users.
• Configure Issuance Requirements to ensure that requests are manually validated and approved.
• Enforce Extended Protection for Authentication (EPA) and require SSL on all AD CS web enrollment endpoints.
• Disable web enrollment if not strictly required.
• If required, network segment web enrollment interfaces to administrative hosts requiring access.
• Consider disabling NTLM in favor of Kerberos where possible.
• Routinely audit existing templates with tools such as Certipy for potential AD CS misconfigurations.

Defensive Checklist

Whether you suspect you may be vulnerable or are hardening proactively, the following actions reduce risk significantly:

• Audit all certificate templates for dangerous combinations of enrollment permissions, EKUs, and Subject Name flags.
• Routinely review CA ACLs to ensure only PKI administrators hold privileged rights.
• Harden AD CS web services by enforcing SSL, EPA, and limiting exposure.
• Implement certificate issuance monitoring and manual intervention to detect unusual requests, especially for high-privilege accounts.
• Maintain separation of duties between PKI administration and general Active Directory administration.

Final Thoughts

AD CS misconfigurations such as ESC1, ESC6 and ESC8 represent some of the most direct and impactful privilege escalation vectors in Active Directory environments. Since certificates can grant long-lived, stealthy access, these attacks are particularly valuable to advanced adversaries and dangerous to defenders.

Prevention and mitigation is straightforward once these configurations are understood and monitored. By frequently auditing templates, securing CA permissions, and restricting network access to Certificate Services endpoints, organizations can close off these privilege escalation paths and preserve the trust their PKI is designed to provide.

Need help guarding against vulnerabilities in your Active Directory environment? Contact your account manager or email info@structured.com today.

About the Author

Ethan Hudson is an accomplished penetration tester with a proven track record of uncovering security vulnerabilities across a wide range of environments. With extensive experience in red teaming, social engineering campaigns, external, internal, web application, mobile application, wireless, and physical penetration testing, Ethan has honed his ability to simulate real-world attack scenarios that help organizations identify and address their most critical security risks. His technical expertise is matched by a strategic mindset, ensuring that engagements provide not only actionable findings but also meaningful insight into strengthening an organization’s overall security posture.

His work bridges the gap between offensive security and long-term resilience, helping clients build defenses that withstand both current and emerging threats. Ethan’s passion for cybersecurity extends beyond assessments. He is committed to knowledge sharing, continuous learning, and advancing best practices that protect businesses in an increasingly complex threat landscape.