ADCS is no longer just a PKI concern it’s a domain compromise waiting to happen. Learn how to abuse or stop it.
Quick Overview
Active Directory Certificate Services (ADCS) is a foundational component of enterprise identity infrastructure, responsible for issuing and managing digital certificates. While it plays a crucial role in enabling secure authentication, encryption, and digital signing, misconfigurations in ADCS can become powerful attack vectors.
This module focuses on identifying and exploiting ADCS misconfigurations to escalate privileges and gain domain-wide access. You’ll learn how adversaries abuse certificate templates, enrollment services, and CA permissions to compromise Active Directory environments often with stealth and persistence.
Whether you’re new to ADCS or looking to refine your red team methodology, this module offers practical insights into both offensive techniques and defensive detection strategies.
Why This Module Matters
Despite its importance, ADCS is often poorly understood outside of PKI teams. This leads to widespread misconfigurations that red teamers and attackers can exploit for significant impact—including full domain compromise.
Key reasons why ADCS exploitation should be part of your offensive and defensive strategy:
- Under-the-Radar Techniques: Certificate abuse often bypasses traditional detection mechanisms.
- Critical Access Paths: ADCS exploitation can lead to domain admin privileges.
- Increasingly Targeted: Modern red team operations and APT actors are actively leveraging ADCS flaws.
- Persistent Access: Forged certificates allow for long-term, hard-to-detect access across environments.
Understanding and simulating these attacks helps both red and blue teams stay ahead of real-world threats.
What You’ll Learn
This module covers a structured breakdown of ADCS exploitation techniques, aligned with real-world attack paths:
Introduction
- ADCS Fundamentals
- Introduction to Common ADCS Misconfigurations
- Enumerating ADCS Components and Permissions
Abusing Certificate Templates
- ESC1: Enrollable Templates with Dangerous EKUs
- ESC2 – ESC3: Misconfigured Enrollment Flags and Permissions
- Certificate Mapping Techniques
- ESC9 – ESC10: Abusing Certificate Request Handling Mechanisms
Abusing CA Configuration
- ESC6: Exploiting CA Permissions and Misconfigurations
Abusing Access Control
- ESC4 – ESC5 – ESC7: Privilege Escalation via Weak ACLs and Enrollment Rights
NTLM Relay Attacks
- ESC8 – ESC11: NTLM Relay to Web Enrollment Services for Certificate Theft and Impersonation
Miscellaneous ADCS Attacks
- Certified (CVE-2022-26923): Exploiting Certificate Mapping for Privilege Escalation
- PKINIT Abuse for Initial Access and Ticket Forgery
- Using BloodHound with Certipy to Map Certificate-Based Attack Paths
Hands-On Learning
This module includes access to a vulnerable lab simulating a typical enterprise ADCS deployment. Through practical exercises, you’ll:
- Enumerate certificate templates and CA permissions using Certify and Windows-Internals.
- Exploit misconfigured templates to request certificates as privileged users
- Leverage stolen certificates for Kerberos authentication and lateral movement
- Use tools like Rubeus, Certify, PSPKIAudit and Impacket
Prerequisites
To get the most out of this module, you should be familiar with:
- Active Directory fundamentals, including Kerberos and domain trust relationships
- Command-line tools and scripting languages (PowerShell, Python, or C#)
- Offensive security concepts such as privilege escalation, lateral movement, and post-exploitation
- Prior exposure to tools like BloodHound, Impacket, or Rubeus is beneficial but not required
Final Thoughts & Rating
I would rate this module 9/10. It offers a solid technical overview with hands-on examples of ADCS attacks. However, advanced OpSec strategies and stealthy certificate abuse tactics could be explored in greater depth.
Pros:
✔ Comprehensive coverage of ESC1-ESC11 techniques
✔ Includes detection and response strategies
✔ Hands-on lab simulates a real ADCS environment
Cons:
❌ Some attacks require elevated permissions to initiate
❌ Limited focus on bypassing modern EDRs during cert theft or abuse
❌ May be challenging for testers unfamiliar with PKI concepts
In all the certifications I’ve completed that cover Active Directory whether it’s OSCP, CRTO, or CRTP. ADCS is often treated as an afterthought. They might briefly touch on ESC1 or, if you’re lucky, mention ESC8, but rarely do they dive into the full spectrum of abuse paths ADCS offers. This module, on the other hand, goes much deeper. It thoroughly explores the entire ESC1–ESC11 range, shedding light on just how powerful and dangerous misconfigured certificate services can be.
From my real-world experience in red teaming and internal penetration tests, ADCS exploitation has consistently been the fastest and most reliable path to Domain Admin often before coffee has even kicked in. It’s stealthy, effective, and devastating when done right. If you’re serious about Active Directory security, this is not something to skip. ADCS is often overlooked, but in the right hands, it’s a domain compromise waiting to happen. Don’t sleep on it.
If your goal is to understand how certificate abuse can lead to domain compromise and how to prevent it this module is essential.
For those interested, here’s a look at the exam table of contents:
