This comprehensive guide covers all 16 known ESC (Escalation) techniques for privilege escalation using Active Directory Certificate Services misconfigurations.
Strong Certificate Mapping
In May 2022, Microsoft introduced Strong Certificate Mapping, which implemented a security extension for certificate templates that includes the security identifier (SID) of the requesting user. This was done to combat Certifried (CVE-2022–26923), and was initially released in a compatibility mode that allowed “Weak Certificate Mapping” until February 2025, after which the mode has switched to full enforcement.Unless explicitly downgraded, every environment should be considered in full enforcement mode.
ESC Techniques Overview
The following privilege escalation techniques exploit various misconfigurations in Active Directory Certificate Services to elevate privileges from low-privileged accounts to high-privileged accounts, including Domain Admins:Template Misconfigurations (ESC1-3)
ESC1 - Misconfigured Client Authentication Templates
Exploit certificate templates that allow arbitrary Subject Alternative Names (SANs) for privilege escalation via certificate impersonation.
ESC2 - Misconfigured Any Purpose Templates
Exploit certificate templates with overly broad Extended Key Usages (Any Purpose EKU) to bypass certificate restrictions.
ESC3 - Misconfigured Certificate Request Agent Templates
Abuse Certificate Request Agent templates to enroll certificates on behalf of other users.
Access Control Vulnerabilities (ESC4-5, ESC7)
ESC4 - Vulnerable Certificate Template Access Control
Exploit overly permissive access controls on certificate templates to modify template settings.
ESC5 - Vulnerable PKI Object Access Control
Abuse weak access controls on PKI objects including Certificate Authorities and certificate templates.
ESC7 - Vulnerable Certificate Authority Access Control
Exploit vulnerable CA access controls to gain ManageCA or ManageCertificates permissions.
CA Configuration Issues (ESC6, ESC8, ESC11)
ESC6 - Request Attribute SAN (EDITF_ATTRIBUTESUBJECTALTNAME2)
Abuse the EDITF_ATTRIBUTESUBJECTALTNAME2 CA flag to specify arbitrary Subject Alternative Names.
ESC8 - NTLM Relay to AD CS HTTP Endpoints
Perform NTLM relay attacks against Certificate Authority web enrollment endpoints.
ESC11 - NTLM Relay to AD CS RPC Interfaces
Exploit NTLM relay vulnerabilities against Certificate Authority RPC interfaces.
Certificate Mapping Issues (ESC9-10, ESC13-16)
ESC9 - Security Extension Disabled on Certificate Template
Exploit disabled security extensions (CT_FLAG_NO_SECURITY_EXTENSION) on certificate templates.
ESC10 - Schannel Weak Certificate Mapping
Abuse weak certificate mapping in Schannel for authentication bypass.
ESC13 - Authentication Mechanism Assurance (AMA)
Exploit vulnerabilities in Authentication Mechanism Assurance implementation.
ESC14 - Explicit Certificate Mapping
Abuse explicit certificate mapping configurations for privilege escalation.
ESC15 - EKUwu (Application Policy Injection)
Exploit Application Policy injection vulnerabilities in certificate requests.
ESC16 - Security Extension Disabled on Certificate Authority
Abuse disabled security extensions at the Certificate Authority level.
Hardware-Based Attacks (ESC12)
General Prerequisites
Most ESC techniques require:- Access to an Active Directory environment with AD CS deployed
- Low-privileged domain user account
- Network access to Certificate Authority servers
- Understanding of PKI concepts and certificate enrollment
Common Attack Patterns
Certificate Template Enumeration
Certificate Template Enumeration
Most attacks begin with enumerating certificate templates using Certify to identify vulnerable configurations.
Certificate Request
Certificate Request
Attackers request certificates using vulnerable templates, often specifying alternative identities or elevated privileges.
Authentication
Authentication
The issued certificate is used for authentication, typically with Kerberos PKINIT, to obtain elevated access.
Detection and Mitigation
Monitoring Recommendations
- Monitor certificate enrollment events (Event ID 4886, 4887)
- Track certificate template modifications
- Alert on certificates with unusual Subject Alternative Names
- Monitor authentication events using certificates
- Regular auditing of certificate template configurations
Hardening Guidelines
- Remove ENROLLEE_SUPPLIES_SUBJECT flag from templates
- Implement proper template access controls
- Enable manager approval for sensitive templates
- Consider Strong Certificate Mapping enforcement
- Regular review of CA flags and configurations
Next Steps
Select a specific ESC technique from the categories above to learn detailed implementation steps, enumeration methods, and exploitation techniques. Each technique includes specific prerequisites, detection methods, and mitigation strategies.