Active Directory Certificate Services (ADCS) is Microsoft’s public key infrastructure implementation for Windows domains. It handles certificate issuance for everything from user authentication to encrypted communications. It has also become one of the most reliably exploitable attack paths in Windows environments, thanks to a class of misconfigurations that are common, well-documented, and still being found in organisations that have not specifically reviewed their setup.
The research that brought ADCS attacks to mainstream security attention was published in 2021. Several years on, the vulnerabilities it described are still present in most enterprise Active Directory environments tested today.
What Makes ADCS Dangerous
Certificate templates define the parameters for certificates that the certification authority can issue. When templates are misconfigured, they can be abused to request certificates that allow authentication as any user in the domain, including domain administrators. The attack requires only low-level domain access to initiate.
The most commonly exploited misconfiguration, known as ESC1, involves a template that allows the requestor to specify a Subject Alternative Name. An attacker can request a certificate specifying a privileged user as the SAN and authenticate as that user using the issued certificate. No password is required and no account lockout is triggered.
How Privilege Escalation Happens
The practical attack chain is straightforward. An attacker with any domain user credentials enumerates certificate templates using freely available tooling. They identify templates vulnerable to ESC1 or related misconfigurations. They request a certificate, specifying a domain administrator account in the SAN. They use that certificate with Kerberos PKINIT to authenticate as the administrator and obtain a Ticket-Granting Ticket.
The entire process takes minutes. The attack leaves minimal forensic evidence in default configurations. Standard domain controllers’ logs do not reliably distinguish a legitimate certificate authentication from an abused one without additional monitoring in place.
Detection and Defensive Posture
Internal network penetration testing that includes ADCS enumeration is the most direct way to identify whether your environment is vulnerable. Many organisations are surprised to discover that their certificate services, deployed years ago and rarely reviewed since, contain exploitable templates.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
“ADCS vulnerabilities are consistently among the most impactful findings in our internal network assessments. A misconfigured certificate template can take a standard domain user to domain admin in minutes, and most organisations have no detection capability for the attack path. It is well-documented, and yet it keeps appearing.”
Remediation Priorities
Reviewing certificate template configurations is the starting point. Any template that allows SAN specification without manager approval, that grants enrolment rights to broad groups such as domain users, or that combines both characteristics should be treated as a priority finding.
Enabling Certificate Authority logging and forwarding those logs to a SIEM creates detection capability for certificate abuse. Monitoring for unusual certificate requests, particularly those specifying alternative names for privileged accounts, provides an early warning mechanism.
If your internal environment has not been assessed for ADCS vulnerabilities, getting a penetration test quote that explicitly includes ADCS review is a practical next step. The attack path is well-understood and remediable once the vulnerable templates are identified.