Active Directory Certificate Services (ADCS)
Status: Scaffold — content in progress
Active Directory Certificate Services (ADCS) is Microsoft's PKI implementation for enterprises. It issues certificates used for authentication (Kerberos PKINIT), code signing, email encryption, and TLS. ADCS misconfiguration is a major privilege escalation surface, documented by SpecterOps in the "Certified Pre-Owned" research (2021).
Architecture
Root CA (offline recommended)
└── Issuing CA (enterprise CA, domain-joined)
└── Certificate Templates (define what can be issued and to whom)
└── Issued Certificates
Enterprise CA is domain-integrated: publishes templates to AD, issues certs that AD trusts for authentication.
Certificate Templates
A template defines:
- Who can enroll: security group permissions (
Certificate-Enrollmentright) - What they get: subject alternative names (SANs), key usage, EKU
- Authentication: does the certificate support client auth? Smart card logon?
ESC Vulnerability Classes (SpecterOps)
| ESC | Vulnerability | Requirement | Impact |
|---|---|---|---|
| ESC1 | Template allows low-priv user enrollment + SAN in request + Client Auth EKU | Enroll permission | Request cert for any user (Domain Admin) |
| ESC2 | Template allows Any Purpose or no EKU | Enroll permission | Abuse certificate for auth |
| ESC3 | Enrollment Agent template misconfiguration | Enroll as enrollment agent | Enroll on behalf of any user |
| ESC4 | Vulnerable template ACL (WriteDACL/Owner) | Write access to template | Modify template to ESC1 |
| ESC6 | EDITF_ATTRIBUTESUBJECTALTNAME2 CA flag | Enroll permission | SAN override on any template |
| ESC7 | CA ACL — ManageCA/ManageCertificates | CA admin role | Approve requests, modify flags |
| ESC8 | AD CS HTTP enrollment (NTLM relay to /certsrv/) | Network position | Relay NTLM auth to get certificate |
Certificate-Based Authentication
Once an attacker has a valid certificate for a privileged account:
- Request a Kerberos TGT using PKINIT (
Rubeus asktgt /certificate:...) - The TGT includes the account's NTLM hash (via PKCA — Pass the Certificate)
- Use the TGT for Pass-the-Ticket or extract the hash
This provides persistent authentication that survives password resets (the certificate remains valid until expiry).
Telemetry
| Event ID | Location | Description |
|---|---|---|
| 4886 | CA | Certificate requested |
| 4887 | CA | Certificate issued |
| 4888 | CA | Certificate denied |
| 4768 | DC | Kerberos TGT request via PKINIT (shows certificate auth) |
Cross-Links
| Topic | Link |
|---|---|
| PKI Overview | pki-overview |
| ESC1 Template Abuse | esc1-template-abuse |
| Certificate Theft | certificate-theft |
| ADCS Detection | detect-certificate-attacks |