Active Directory Certificate Services (ADCS) has been a staple of Windows environments for decades. For most IT teams, it quietly issues certificates and stays out of the way. For attackers, it's a skeleton key.
What's the actual problem?
ADCS misconfigurations — categorized as ESC1 through ESC15 — let attackers request certificates that impersonate privileged accounts. ESC1, the most common, allows any domain user to enroll in a certificate template and request a cert as a domain admin. No exploit. No special tool. Just a misconfigured template that's been sitting there since the server was stood up.
"We've run assessments where ESC1 was exploitable within 8 minutes of getting an unprivileged user account. The org had no idea the template existed."
ESC8 is worse
ESC8 combines NTLM relay with ADCS. An attacker coerces a domain controller into authenticating to them, relays that auth to the ADCS HTTP enrollment endpoint, and gets a certificate for the DC's machine account. From there, it's a straight line to DCSync and full domain takeover.
What to check right now
- Run Certify or Certipy against your ADCS environment and look for ESC1–ESC8 findings
- Audit certificate templates — anything with "Enrollee Supplies Subject" enabled is a red flag
- Disable HTTP enrollment on ADCS if you don't need it (kills ESC8 relay path)
- Enable EPA (Extended Protection for Authentication) on IIS