AD CS: ESC1-ESC16 catalog
In June 2021, Will Schroeder (@harmj0y) and Lee
Chagolla-Christensen released from SpecterOps the
“Certified Pre-Owned”
paper, cataloging the first 8 escalations (ESC1-ESC8) on a PKI
infrastructure Microsoft had documented poorly since 2008. The
catalog grew to ESC16 between 2022 and 2025.
Why it remains critical in 2026: AD CS is enabled by default
in many enterprise environments, its templates ship with
dangerous flags (
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT) without
visual GUI warnings, and Mandiant’s M-Trends 2025 documented
multiple breaches where UNC2165 (RansomHub) abused AD CS to
create MFA-exempt admin accounts.Global detection (always first)
nmap -sV of AD CS.
ESC1 — Enrollee Supplies Subject
Condition: Template withCT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
Client AuthenticationEKU + Enroll right for low-priv users. The requester decides theSubject Alternative Name.
msPKI-Certificate-Name-Flag bit, require manager approval.
ESC2 — Any Purpose EKU
Condition: Template withAny Purpose EKU (OID 2.5.29.37.0)
or no EKU. Works for anything, including authentication.
Exploit: same flow as ESC1, optionally -on-behalf-of.
Remediation: remove 2.5.29.37.0 from pKIExtendedKeyUsage,
fix specific EKUs.
ESC3 — Enrollment Agent
Condition: Template withCertificate Request Agent EKU (OID
1.3.6.1.4.1.311.20.2.1). The holder can request certs
on-behalf-of other users.
Exploit:
ESC4 — Weak ACL on the template
Condition:WriteDACL/GenericAll/WriteOwner on the AD
template object. We turn the template into ESC1 and run it.
Exploit:
ESC5 — Weak ACL on other PKI objects
Condition: Weak ACLs onNTAuthCertificates,
Enrollment Services, the CA computer object, the
CN=Public Key Services container.
Exploit (forge from CA private key):
ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2
Condition: the CA has this flag set, making any template
accept arbitrary SAN in the CSR.
Remediation:
ESC7 — ManageCA / ManageCertificates abuse
Condition: low-priv user with ManageCA. Can enable SubCA
template, deny their own requests, and re-approve them.
Exploit:
ESC8 — NTLM Relay to Web Enrollment (HTTP)
Condition:http://CA/certsrv/ endpoint active without
EPA/HTTPS. Combinable with coercion (PetitPotam, PrinterBug,
DFSCoerce). The classic chain from low-priv user to Domain
Admin in 5 minutes.
/certsrv/.
ESC9 — CT_FLAG_NO_SECURITY_EXTENSION
Condition: Template flags 0x80000 in
msPKI-Enrollment-Flag. Cert doesn’t embed SID extension
(szOID_NTDS_CA_SECURITY_EXT), forcing weak UPN mapping.
Exploit (chain with account abuse):
0x80000.
ESC10 — Weak Certificate Mapping (registry)
Condition:HKLM\System\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement
= 0 or 1 (not Full Enforcement). Since February 2025
Microsoft enforces value 2 by default, but legacy environments
remain vulnerable.
ESC11 — NTLM Relay to RPC endpoint
Condition:IF_ENFORCEENCRYPTICERTREQUEST not set in
CA\InterfaceFlags. ICertPassage (RPC) accepts unencrypted NTLM.
Exploit:
ESC12 — CA with YubiHSM and shell access
Condition: CA uses YubiHSM with plain-text creds in registry. Shell on CA = HSM PIN/auth-key theft. Remediation: FIPS 140-3 Level 3 HSM with creds in device memory.ESC13 — Issuance Policy linked to privileged group
Condition:msDS-OIDToGroupLink attribute maps an issuance
policy OID to a privileged AD group. Cert with that policy gets
TGT with implicit group membership.
Exploit:
ESC14 — Weak Explicit Mapping
Condition:altSecurityIdentities attribute uses weak
mappings X509RFC822 or X509IssuerSubject (deprecated post
KB5014754).
Exploit:
X509IssuerSerialNumber, X509SKI
or X509SHA1PublicKey.
ESC15 — EKUwu / CVE-2024-49019
Condition: schema V1 template + enrollee-supplies-subject flag. CSR can injectApplication Policies (Microsoft private
extension) that override the template’s EKU. Found by
Justin Bollinger (TrustedSec), September 2024 — patched
November 2024.
Exploit:
ESC16 — SID extension globally disabled
Condition: OID1.3.6.1.4.1.311.25.2 listed in CA
policy\DisableExtensionList. No cert issued includes SID
extension → ESC9 globally.
Exploit (chain shadow credentials + UPN swap):
Toolkit 2026: when to use what
Rule 2026: always start with
certipy-ad find, exploit with
certipy-ad req, fall back to PassTheCert if PKINIT yields
KDC_ERR_CLIENT_NOT_TRUSTED.
Modern defensive detection (2025-2026)
Microsoft Defender for Identity released a dedicated AD CS sensor in 2024. Active alerts in 2026:- Suspicious certificate request relayed from a Domain Controller (covers ESC8/ESC11)
- Suspicious deletion of certificate requests
- Suspicious certificate usage over Kerberos (PKINIT)
- Certificate Authority ACL modification with high-privilege addition (ESC4/ESC5/ESC7)
Monthly defensive audit:
- Locksmith 2 — automated scan of templates and CA config.
- PSPKIAudit —
Invoke-PKIAuditandGet-CertRequestfor retroactive hunting.
Real-world cases
-
CVE-2022-26923 “Certifried” (May 2022, Oliver Lyak): any
domain user could spoof a DC’s
dNSHostNameand obtain a DC machine cert. CVSS 8.8, in CISA KEV. Microsoft added the SID extension as response — origin of ESC9/ESC16. - CVE-2024-49019 “EKUwu” (October 2024, TrustedSec): App Policies injection over default V1 templates → DA escalation. Patch November 2024.
- UNC2165 / RansomHub (Mandiant M-Trends 2025): exploited AD CS to create MFA-exempt admins before destroying backups and deploying ransomware.
- Black Basta playbook (chats leaked February 2025): AD CS appears as standard vector after SMB initial access.
Mandatory hardening
-
Templates: disable
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECTexcept on audited workflow; require Manager Approval; removeAny PurposeEKU; migrate all V1 to V2/V3 schema (kills ESC15). -
CA flags:
- Web enrollment: HTTPS-only + EPA + Kerberos auth; disable HTTP on /certsrv/ (KB5005413).
-
Monthly ACL audit:
Invoke-PKIAuditandLocksmith2 -Mode 1; revokeWrite*/GenericAllfrom Domain Users on any object underCN=Public Key Services,CN=Services,CN=Configuration. -
Strong Mapping enforcement:
StrongCertificateBindingEnforcement = 2on all DCs. - MDI sensor on the CA: install Defender for Identity AD CS sensor on every enterprise CA.
-
Unpublish obsolete templates:
certutil -setcatemplates -<TemplateName>.
Resources
- Certified Pre-Owned (original SpecterOps paper)
- Certipy GitHub + Wiki
- The Hacker Recipes — AD CS
- HackTricks — AD CS Domain Escalation
- Microsoft Defender for Identity AD CS sensor
- KB5005413 — Mitigating NTLM Relay on AD CS
- Locksmith 2
- PSPKIAudit
Related resources
- Tactical glossary — Kerberos, NTLM, Pass-the-Hash.
- Professional methodology — AD decision tree.
- OSCP Roadmap — ESC1 appears recurrently in AD-set machines.