Skip to main content

The Vilkas Wire

When Permissions Break Security: Understanding ESC4 in Active Directory Certificate Services

Feb 19, 2026 · By Ben Rollin

Active DirectoryDefender Tips
ESC8 AD CS Attack

Active Directory Certificate Services (AD CS) is the backbone of authentication in many organizations. It enables users and systems to prove their identity with digital certificates, making it critical to business operations. But as with most complex systems, configuration matters. A single oversight can give attackers the leverage they need to move from ordinary domain user to complete control of the environment.

In this post, we’ll explore ESC4 (Domain Escalation Scenario 4), an Active Directory privilege escalation scenario identified in the Certified Pre-Owned whitepaper by Will Schroeder and Lee Christensen. Unlike ESC1, which directly allows attackers to request certificates for other accounts, ESC4 deals with who can change certificate templates. If access controls are too lax, an attacker can modify a certificate template for their own purposes.

What Is ESC4?

Certificate templates define what kind of certificates a Certificate Authority (CA) can issue. They are supposed to be tightly controlled because they set the rules for identity.

The crux of the ESC4 attack is weak access controls. If ordinary users (or groups such as Domain Users) have rights such as Write, Full Control, or Modify Owner on a template, they can edit it. We sometimes run into a scenario where Domain Computers have these rights over a certificate template, and, if ms-DS-MachineAccountQuota is set to the default of 10 (or higher than 0), an attacker can create a malicious machine account to pull off this attack.

When the conditions are right, the targeted certificate template can be edited to make it vulnerable to the ESC1 attack, effectively creating a backdoor to obtain domain-admin-level certificates.

Why It Matters

On paper, ESC4 might look like a technical misconfiguration, but in practice, it’s a rather simple way to turn low-privilege access into total compromise.

There are many scenarios where any Domain User can exploit it, and readily available open-source tooling makes the attack rather easy to pull off. The attack may go unnoticed until it is too late, as many organizations are not actively auditing changes to access control lists (ACLs). Most importantly, once a template is modified, it can be used to facilitate persistence by requesting trusted certificates even after a password reset.

ESC4 Attack Flow

Below are the general steps for performing the ESC4 domain privilege escalation attack:

  1. Find a vulnerable template – Tools like Certipy quickly identify templates where excessive rights are granted to large groups.
  2. Modify the template – The attacker uses their permissions to add dangerous settings (for example, Subject Alternative Name changes that enable impersonation).
  3. Downgrade to ESC1 – By editing the template, the attacker converts it into a known exploitable state.
  4. Request a certificate – They request a certificate in the name of a privileged account.
  5. Authenticate as Domain Admin – That certificate can then be used to access domain controllers or sensitive systems.

The key risk here is that what began as a low-privileged user with nothing but login rights ends with full domain compromise.

Detecting ESC4 Abuse

Visibility into the ESC4 attack is possible, but a bit nuanced.

  • Event ID 4899 – Triggers when attributes are updated on a certificate template.
  • Event ID 4887 – Triggers when a certificate request is approved and a certificate is issued.

By correlating these event IDs, security teams can spot when a template was changed and then quickly abused.

However, the logs don’t always show what account made the modification, making it easy for attackers to cover their tracks. Furthermore, an attacker must actually request a certificate using the modified template for Event ID 4899 will not fire. Combining this with Event ID 4887 will identify the requester and the Subject Alternate Name used in an ESC1 attack.

Mitigating ESC4

Mitigating the ESC4 attack is rather straightforward, but often overlooked:

  • Audit template permissions regularly. Group such as Domain Users or other low-privileged groups should not have Write or Full Control rights over a certificate template.
  • Remove over-permissive ACLs. Use tools such as ADSI Edit, PKI PowerShell modules, or Certipy in audit mode to verify. Another great tool to quickly identify ESC4 and various other ESC attacks is Locksmith2.
  • Enforce least privilege. Only PKI administrators should have rights to modify certificate templates.
  • Validate fixes. After remediation, re-scan with tools to confirm risky rights are gone.

Key Takeaways for Leadership

ESC4 is a silent enabler-type attack. It doesn’t look like a flashy exploit, but it’s one of the fastest ways to lose control of your domain. The attack is entirely preventable through strong governance of certificate templates and regular audits that eliminate the risk.

When certificates are compromised, the foundation of identity in your organization is broken.

Closing Thoughts

The ESC4 attack shows how a single weak permission in AD CS can unravel your entire security model. If attackers can rewrite certificate templates, they can open the door to domain escalation and persistence that can be difficult to detect.

If you are running Active Directory Certificate Services, do not overlook the potentially massive attack surface this introduces into an AD environment. Regular assessments and targeted Active Directory security reviews are critical for identifying and remedying these issues before attackers exploit them.

Have a question about this article or a security challenge of your own?

Vilkas Cybersecurity helps organizations uncover and fix identity-driven attack chains. Fill out the form, and we'll get back to you shortly.

Loading form…
← Back to Blog
Share on XShare on LinkedIn