7 Critical AD CS Escalation Techniques Every Defender Must Know

Active Directory Certificate Services (AD CS) is a tempting target for attackers, often exploited through misconfigurations and advanced misuse techniques. While many organizations rely on AD CS for authentication, encryption, and digital signatures, security weaknesses can enable privilege escalation—from standard user to domain administrator. In this listicle, we break down seven essential escalation methods that template misconfigurations (like ESC1) and shadow credential attacks (ESC8) represent. Each item explains the vulnerability, exploitation steps, and key defender actions. Understanding these attack paths is the first step to building robust behavioral detection and protecting your Active Directory environment.

1. Template Misconfigurations: The Classic ESC1 Attack

ESC1 is the most well-known AD CS escalation technique. It occurs when a certificate template allows any purpose (e.g., client authentication, smart card logon) and grants the enrollee the ability to specify a subject alternative name (SAN) during enrollment. A low-privileged user can request a certificate with the SAN set to a domain admin account, essentially obtaining a certificate that cryptographically proves they are that administrator. This certificate can then be used for Kerberos PKINIT authentication, granting a TGT with the admin's identity. Defenders must audit templates for the “Smart Card Logon” or “Client Authentication” purpose combined with the “Supply in the request” flag. Disabling that flag and restricting enrollment to authorized users are critical mitigations.

2. Issuance Policy Weaknesses (ESC2)

ESC2 arises when a certificate template defines an issuance policy that allows the enrollee to request certificates for any purpose, even if the template itself is restricted. Attackers exploit this by requesting a certificate under a permissive policy (like “All Policies”) to obtain a certificate that can be used for domain authentication as any user. This technique bypasses template-level restrictions. Detection involves monitoring for certificate requests that specify unusual issuance policies or combine multiple policies in ways that grant excessive privileges. Enforcing strict policy mappings and using only “Required” policies can prevent ESC2 escalation.

3. Enrollment Agent Abuse (ESC3)

ESC3 targets misconfigured enrollment agents (EAs)—privileged accounts that can enroll certificates on behalf of others. If an EA has a template that allows “Client Authentication” and the agent is permitted to enroll for any user, an attacker who compromises the EA can request a certificate impersonating any domain user, including admins. This is often combined with ESC1 or ESC2 to compound escalation. To defend, restrict EA accounts to only needed templates, monitor EA enrollment activity for suspicious impersonation requests, and enforce approval-based workflows for high-privilege certificates.

4. Overly Permissive Access Control (ESC4)

ESC4 happens when an attacker gains write permissions on a certificate template's security descriptor. With write access (e.g., WriteDacl, WriteProperty), the attacker can modify the template to make it vulnerable (e.g., enable SAN specification, add a weak issuance policy). This essentially opens the door for ESC1 or ESC3 attacks. Even if the template was initially secure, a single ACL misconfiguration allows an attacker to change it permanently. Detection should focus on template modification events (event ID 4886) and unexpected changes to template permissions. Regularly reviewing template ACLs with tools like ADSI Edit or BloodHound is vital.

5. Domain Escalation via PKI Object Permissions (ESC5)

ESC5 extends beyond templates to the entire PKI infrastructure: the CA server itself, the CA certificate's object, the NTAuthCertificates object in AD, and the AICertificateType object. If an attacker gains write permissions on any of these (e.g., Write access to the CA's `certSrv` object), they can issue rogue certificates that are trusted domain-wide. This can be achieved by adding a malicious root CA or modifying the list of trusted CA certificates. Mitigation requires strict ACLs on PKI objects, enabling CA server auditing, and monitoring events 4768 (TGT requests) for anomalous certificate use from unexpected CAs.

6. Shadow Credential Attacks: Device Registration Abuse (ESC8)

Shadow credentials leverage the device registration functionality within AD FS or hybrid environments. An attacker with control over a domain-joined machine can register a synthetic credential (a key credential or certificate) for that machine's identity, bypassing password authentication. This allows persistent backdoor access to services that trust device authentication. The attack does not require a vulnerable template; instead, it exploits the ability to add certificates to a device's object in Active Directory. Defenders should disable unnecessary device registration for non-admin devices, monitor for unusual certificate additions to computer objects (event ID 5136), and enforce strong device authentication policies.

7. Detecting AD CS Abuse with Behavioral Analytics

Given the variety of AD CS escalation paths, behavioral detection is crucial. Look for patterns such as: certificate enrollment requests where the requester specifies a SAN different from their own identity; requests for templates with unusual issuance policies; certificate renewal requests for expired certificates with elevated privileges; and sudden modifications to template ACLs or CA permissions. Tools like Windows Event Logs (e.g., 4886, 4887, 5136) and SIEM behavioral rules can flag these anomalies. Additionally, monitor for “Domain Admin” certificate usage in TGT requests via Kerberos PKINIT events (4768, 4769). By combining template hardening with active monitoring, defenders can catch escalation attempts early and reduce the impact of AD CS attacks.

Understanding these seven critical AD CS escalation techniques is essential for any organization using certificate services. From classic template misconfigurations to modern shadow credential attacks, each method exploits a different facet of the PKI ecosystem. By auditing templates, tightening ACLs, enabling comprehensive logging, and deploying behavioral detection, defenders can close these attack paths and maintain a secure Active Directory environment. Remember: the best defense is proactive—regularly review your AD CS configuration and test for vulnerabilities before attackers do.