ADCS ESC1 and ESC4 Explained
Understanding Active Directory Certificate Services vulnerabilities: ESC1 and ESC4 attack techniques, how they work, and how to prevent them.
ADCS ESC1 and ESC4 Explained
Active Directory Certificate Services (AD CS) misconfigurations can allow attackers to obtain certificates that grant domain admin privileges.
What is AD CS?
Active Directory Certificate Services issues digital certificates for authentication, encryption, and digital signatures. When configured incorrectly, it can become a path to domain compromise.
ESC1: Misconfigured Certificate Templates
ESC1 allows any domain user to obtain a certificate that can be used for authentication as any other user, including Domain Admins.
How It Works
-
A certificate template has:
- Enrollment permissions that allow "Authenticated Users" or "Domain Users" to enroll
- Client Authentication EKU (Extended Key Usage)
- CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag, allowing the requester to specify the subject
- No manager approval or authorized signatures required
-
An attacker enrolls in the template, specifying a Domain Admin as the subject
-
The attacker uses the certificate to authenticate as the Domain Admin
-
The attacker now has Domain Admin privileges
Remediation
- Remove "Authenticated Users" or "Domain Users" from enrollment permissions
- Remove CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag
- Require manager approval for sensitive templates
- Use certificate template access control to limit enrollment
ESC4: Vulnerable Certificate Template ACLs
ESC4 allows attackers to modify a certificate template's ACL to grant themselves enrollment permissions, then abuse the template.
How It Works
- A certificate template has weak ACLs that allow modification
- An attacker modifies the template to:
- Add themselves to enrollment permissions
- Enable CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT if not already enabled
- Remove manager approval requirements
- The attacker enrolls and obtains a certificate
- The attacker uses the certificate to authenticate as a privileged user
Remediation
- Restrict certificate template modification permissions
- Use least privilege for template ACLs
- Monitor for template modifications
- Regularly audit certificate template permissions
Detection
Look for:
- Certificate templates with "Authenticated Users" enrollment permissions
- Templates with CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT enabled
- Templates with weak ACLs
- Certificates issued to unexpected users
- Certificate enrollment events in logs
Prevention
- Review certificate templates: Identify templates with dangerous configurations
- Restrict enrollment: Limit enrollment permissions to specific groups
- Remove dangerous flags: Disable CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT where not needed
- Require approval: Enable manager approval for sensitive templates
- Harden ACLs: Restrict template modification permissions
- Monitor enrollment: Alert on certificate enrollment, especially for sensitive templates
- Regular audits: Review certificate templates and issued certificates regularly
Related Resources
Top Active Directory Misconfigurations
Common AD misconfigurations that create attack paths: weak delegation, permissive ACLs, trust abuse, and GPO issues.
How Attackers Become Domain Admin
Understand the common attack chains from initial access to domain compromise: privilege escalation, lateral movement, and credential theft.
Need this validated in your environment?
Our Active Directory security assessment identifies these issues and provides prioritized remediation guidance.
Learn About AD Security Assessments