Skip to main content

The Vilkas Wire

Why You Should Secure AD CS Against ESC1 (and How to Do It)

Oct 9, 2025 · By Ben Rollin

Active DirectoryDefender Tips
Why You Should Secure AD CS Against ESC1 (and How to Do It)

Introduction

Active Directory Certificate Services (AD CS) is the backbone of certificate issuance in Windows environments. When properly configured, it helps enforce secure authentication and encryption. But when misconfigured, AD CS can introduce some of the most dangerous privilege escalation paths in Active Directory.

One of the most common and impactful of these is ESC1, short for "Domain Escalation Scenario 1," first outlined in the Certified Pre-Owned whitepaper by Will Schroeder and Lee Christensen. ESC1 is a misconfiguration that allows a regular domain user to request a certificate for a Domain Admin and use it to take control of the entire domain.

What Is ESC1?

ESC1 arises when a certificate template combines several risky settings:

  • Low-privileged enrollment rights: Regular domain users can request certificates.
  • No manager approval: Requests are auto-approved.
  • No authorized signatures required: No secondary validation needed.
  • Overly permissive template security: "Authenticated Users" or "Domain Users" have enrollment rights.
  • Authentication EKUs present: Such as Client Authentication or Smart Card Logon.
  • "Supply in request" enabled: Users can set the Subject Alternate Name (SAN).

Together, these conditions enable a low-privileged user to request a certificate that can be used to impersonate any account in the domain.

Why It's Dangerous

The ability to supply a SAN is the crux of ESC1. If a template allows this, an attacker can request a certificate to authenticate as ANY user in the domain, including a Domain Admin or Enterprise Admin. Typically, in our penetration tests, this results in domain compromise starting with only a standard domain user account.

Once issued, the certificate can be used to:

  • Authenticate to Active Directory as the chosen account.
  • Request Kerberos tickets (TGTs) for that account.
  • DCSync and obtain NTLM password hashes for all users in the domain
  • Post exploitation & domain persistence

ESC1 offers a basic and stealthy method for escalating from a compromised user account to a domain compromise.

Example Attack Path

Here's how we exploit ESC1 in real-world engagements:

  1. Compromise a standard domain user account.
  2. Identify a vulnerable certificate template with the correct conditions for the ESC1 attack.
  3. Submit a certificate request with the SAN field set to a Domain Admin account.
  4. Receive a valid certificate for that privileged account.
  5. Use the certificate to obtain a Kerberos ticket and NTLM password hash and operate as a Domain Admin.

This entire process takes minutes and often goes undetected.

How to Detect ESC1

Detecting ESC1 requires both configuration reviews and log monitoring:

  1. Audit certificate templates:

    • Check if "Supply in request" is enabled under Subject Name.
    • Look for authentication EKUs (Client Authentication, Smart Card Logon).
    • Review enrollment permissions for overly broad access.

  2. Enable AD CS auditing:

    • Event ID 4886 (certificate request received).
    • Event ID 4887 (certificate issued).

  3. Alert on mismatches:

    • If the requester and the SAN differ, especially when the SAN matches a privileged account, this should trigger an investigation.

How to Remediate ESC1

Fortunately, remediation is straightforward once templates are reviewed:

  • Restrict enrollment rights: Only authorized groups should be able to request certificates.
  • Disable "Supply in request": Use Active Directory information for subject names instead.
  • Require manager approval: Require approval for enrolling using sensitive templates.
  • Tighten template permissions: Remove overly broad security descriptors like "Authenticated Users → Enroll."
  • Review cloned templates: Templates copied from defaults such as WebServer often carry these misconfigurations forward.

Key Takeaways

  • ESC1 is one of the most prevalent and dangerous AD CS misconfigurations.
  • It creates a direct path from domain user access to Domain Admin.
  • Certificates issued using the ESC1 attack can be used to persist, evade detection, and fully compromise an environment.
  • The fix is relatively straightforward, but only if you know to look for it.

If your organization runs AD CS, auditing for ESC1 should be a priority. It's a basic security control that can prevent a catastrophic breach.

Have a question about this article or a security challenge of your own?

Vilkas Cybersecurity helps organizations uncover and fix real-world exposures, not just theoretical ones. Fill out the form and we'll get back to you shortly.

Loading form…
← Back to Blog
Share on XShare on LinkedIn