Skip to main content

AD CS: ESC1-ESC16 catalog

In June 2021, Will Schroeder (@harmj0y) and Lee Chagolla-Christensen released from SpecterOps the “Certified Pre-Owned” paper, cataloging the first 8 escalations (ESC1-ESC8) on a PKI infrastructure Microsoft had documented poorly since 2008. The catalog grew to ESC16 between 2022 and 2025.
Why it remains critical in 2026: AD CS is enabled by default in many enterprise environments, its templates ship with dangerous flags (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT) without visual GUI warnings, and Mandiant’s M-Trends 2025 documented multiple breaches where UNC2165 (RansomHub) abused AD CS to create MFA-exempt admin accounts.

Global detection (always first)

That single command enumerates CAs, templates, and flags which are vulnerable to each ESC. It’s the nmap -sV of AD CS.

ESC1 — Enrollee Supplies Subject

Condition: Template with CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
  • Client Authentication EKU + Enroll right for low-priv users. The requester decides the Subject Alternative Name.
Exploit:
Impact: Direct Domain Admin. Detection: Event ID 4886/4887 with SAN ≠ requester. Remediation: clear the msPKI-Certificate-Name-Flag bit, require manager approval.

ESC2 — Any Purpose EKU

Condition: Template with Any Purpose EKU (OID 2.5.29.37.0) or no EKU. Works for anything, including authentication. Exploit: same flow as ESC1, optionally -on-behalf-of. Remediation: remove 2.5.29.37.0 from pKIExtendedKeyUsage, fix specific EKUs.

ESC3 — Enrollment Agent

Condition: Template with Certificate Request Agent EKU (OID 1.3.6.1.4.1.311.20.2.1). The holder can request certs on-behalf-of other users. Exploit:
Remediation: restrict Enrollment Agent to Tier 0, require signed approval.

ESC4 — Weak ACL on the template

Condition: WriteDACL/GenericAll/WriteOwner on the AD template object. We turn the template into ESC1 and run it. Exploit:
Detection: Event ID 4900 (template security updated).

ESC5 — Weak ACL on other PKI objects

Condition: Weak ACLs on NTAuthCertificates, Enrollment Services, the CA computer object, the CN=Public Key Services container. Exploit (forge from CA private key):
Remediation: periodic scan with Locksmith 2.

ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2

Condition: the CA has this flag set, making any template accept arbitrary SAN in the CSR. Remediation:

ESC7 — ManageCA / ManageCertificates abuse

Condition: low-priv user with ManageCA. Can enable SubCA template, deny their own requests, and re-approve them. Exploit:
Detection: Event ID 4888 → 4887 “deny then issue” pattern.

ESC8 — NTLM Relay to Web Enrollment (HTTP)

Condition: http://CA/certsrv/ endpoint active without EPA/HTTPS. Combinable with coercion (PetitPotam, PrinterBug, DFSCoerce). The classic chain from low-priv user to Domain Admin in 5 minutes.
Mitigation: KB5005413 — force EPA + HTTPS in IIS, disable HTTP on /certsrv/.

ESC9 — CT_FLAG_NO_SECURITY_EXTENSION

Condition: Template flags 0x80000 in msPKI-Enrollment-Flag. Cert doesn’t embed SID extension (szOID_NTDS_CA_SECURITY_EXT), forcing weak UPN mapping. Exploit (chain with account abuse):
Remediation: clear flag 0x80000.

ESC10 — Weak Certificate Mapping (registry)

Condition: HKLM\System\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement = 0 or 1 (not Full Enforcement). Since February 2025 Microsoft enforces value 2 by default, but legacy environments remain vulnerable.

ESC11 — NTLM Relay to RPC endpoint

Condition: IF_ENFORCEENCRYPTICERTREQUEST not set in CA\InterfaceFlags. ICertPassage (RPC) accepts unencrypted NTLM. Exploit:

ESC12 — CA with YubiHSM and shell access

Condition: CA uses YubiHSM with plain-text creds in registry. Shell on CA = HSM PIN/auth-key theft. Remediation: FIPS 140-3 Level 3 HSM with creds in device memory.

ESC13 — Issuance Policy linked to privileged group

Condition: msDS-OIDToGroupLink attribute maps an issuance policy OID to a privileged AD group. Cert with that policy gets TGT with implicit group membership. Exploit:

ESC14 — Weak Explicit Mapping

Condition: altSecurityIdentities attribute uses weak mappings X509RFC822 or X509IssuerSubject (deprecated post KB5014754). Exploit:
Remediation: migrate to X509IssuerSerialNumber, X509SKI or X509SHA1PublicKey.

ESC15 — EKUwu / CVE-2024-49019

Condition: schema V1 template + enrollee-supplies-subject flag. CSR can inject Application Policies (Microsoft private extension) that override the template’s EKU. Found by Justin Bollinger (TrustedSec), September 2024 — patched November 2024. Exploit:
CVSS 7.8. Remediation: Nov-2024 patch, migrate all V1 to V2/V3 schema, unpublish V1. Source: TrustedSec EKUwu, CVE-2024-49019.

ESC16 — SID extension globally disabled

Condition: OID 1.3.6.1.4.1.311.25.2 listed in CA policy\DisableExtensionList. No cert issued includes SID extension → ESC9 globally. Exploit (chain shadow credentials + UPN swap):

Toolkit 2026: when to use what

Rule 2026: always start with certipy-ad find, exploit with certipy-ad req, fall back to PassTheCert if PKINIT yields KDC_ERR_CLIENT_NOT_TRUSTED.

Modern defensive detection (2025-2026)

Microsoft Defender for Identity released a dedicated AD CS sensor in 2024. Active alerts in 2026:
  • Suspicious certificate request relayed from a Domain Controller (covers ESC8/ESC11)
  • Suspicious deletion of certificate requests
  • Suspicious certificate usage over Kerberos (PKINIT)
  • Certificate Authority ACL modification with high-privilege addition (ESC4/ESC5/ESC7)
Key Windows Event IDs (audit on CA + DCs): Monthly defensive audit:
  • Locksmith 2 — automated scan of templates and CA config.
  • PSPKIAuditInvoke-PKIAudit and Get-CertRequest for retroactive hunting.

Real-world cases

  • CVE-2022-26923 “Certifried” (May 2022, Oliver Lyak): any domain user could spoof a DC’s dNSHostName and obtain a DC machine cert. CVSS 8.8, in CISA KEV. Microsoft added the SID extension as response — origin of ESC9/ESC16.
  • CVE-2024-49019 “EKUwu” (October 2024, TrustedSec): App Policies injection over default V1 templates → DA escalation. Patch November 2024.
  • UNC2165 / RansomHub (Mandiant M-Trends 2025): exploited AD CS to create MFA-exempt admins before destroying backups and deploying ransomware.
  • Black Basta playbook (chats leaked February 2025): AD CS appears as standard vector after SMB initial access.

Mandatory hardening

  1. Templates: disable CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT except on audited workflow; require Manager Approval; remove Any Purpose EKU; migrate all V1 to V2/V3 schema (kills ESC15).
  2. CA flags:
  3. Web enrollment: HTTPS-only + EPA + Kerberos auth; disable HTTP on /certsrv/ (KB5005413).
  4. Monthly ACL audit: Invoke-PKIAudit and Locksmith2 -Mode 1; revoke Write*/GenericAll from Domain Users on any object under CN=Public Key Services,CN=Services,CN=Configuration.
  5. Strong Mapping enforcement: StrongCertificateBindingEnforcement = 2 on all DCs.
  6. MDI sensor on the CA: install Defender for Identity AD CS sensor on every enterprise CA.
  7. Unpublish obsolete templates: certutil -setcatemplates -<TemplateName>.

Resources