Detection Engineering

Detecting AD CS Abuse (ESC1–ESC8)

How to detect AD CS abuse — the ESC1 and ESC8 escalation paths, the CVE-2022-26923 case, certificate-request audit events, and the template hardening that stops it.

A glowing cyan digital certificate on a dark surface stamped with a red forged seal, representing AD CS certificate abuse

AD CS abuse turns a misconfigured certificate template into a path from any domain user to Domain Admin — and it is now a standard step in ransomware playbooks, not just a pentest finding. The SpecterOps “Certified Pre-Owned” research catalogued the escalation paths as ESC1 through ESC8 (since extended to ESC16). Detecting them means auditing certificate-request events that most SOCs never collect, and the fix is template hardening. This guide ships both.

AD CS abuse maps to MITRE ATT&CK T1649 — Steal or Forge Authentication Certificates, yielding T1078 — Valid Accounts. It is the certificate-services sibling of NTLM relay (which feeds ESC8) and Kerberoasting in the Active Directory attack surface.

What is AD CS abuse?

Active Directory Certificate Services issues the certificates a domain uses for authentication. When a certificate template is misconfigured, a low-privileged user can request a certificate that authenticates them as someone far more powerful — up to a domain controller. Because a certificate is a valid authentication credential, the attacker then requests a Kerberos ticket as that identity and owns the domain. No password cracking, no malware — just a certificate request the CA should have refused.

The “Certified Pre-Owned” whitepaper named eight escalation paths; the two you most need to detect are ESC1 (enrollee-supplied subject name) and ESC8 (NTLM relay to web enrollment), both called out by name in the 2024 Five Eyes joint advisory.

What are the main AD CS escalation paths?

PathThe misconfigurationWhat the attacker does
ESC1Enrollee-supplies-subject + auth EKU + low-priv enrollRequests a cert with a DA’s SAN, authenticates as DA
ESC8Web enrollment allows NTLM, no HTTPS/EPARelays coerced auth to get a DC certificate → DCSync
ESC11RPC enrollment without packet privacyRelays to the RPC interface instead of HTTP
Certifried (CVE-2022-26923)Machine cert maps via dNSHostNameAny user impersonates a domain controller

The unifying weakness is the template and enrollment configuration: who can request what, and whether the requester controls the identity the certificate asserts. That is exactly what the detection and the hardening target.

How to detect AD CS abuse

The signal lives in AD CS audit events — and most environments do not collect them. Turn on Event IDs 4886 (certificate requested) and 4887 (certificate issued); the enhanced versions now include the SAN, template, and requester, which is everything the detection needs.

Sigma Certificate Request With an Enrollee-Supplied SAN (ESC1)
title: AD CS Certificate Request With Mismatched Subject Alternative Name
id: 9b2f4c81-darkpwn-illustrative
status: experimental
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4886
  san_present:
    Attributes|contains: 'SAN:'
  filter_self:
    SubjectUserName|expand: '%SAN_UPN%'   # SAN matches the requester
  condition: selection and san_present and not filter_self
falsepositives:
  - Legitimate enrollment agents requesting on behalf of users (allowlist them)
level: high

How to audit your own AD CS for these paths

Before you detect abuse, find the vulnerable templates in an authorized review:

  1. Enumerate templatescertutil -v -template, or run Certipy (certipy find), Locksmith, or PSPKIAudit to flag ESC1–ESC16 automatically.
  2. Flag enrollee-supplies-subject templates that also have an authentication EKU and allow low-privileged enrollment.
  3. Check web enrollment for NTLM-without-EPA (ESC8) and RPC without packet privacy (ESC11).
  4. Confirm patch state for CVE-2022-26923 — both KDC and CA must be patched, and issued certs should carry the SID extension.

How to harden AD CS

  • Patch CVE-2022-26923 (and CVE-2024-49019) on every CA and DC — KEV-listed.
  • Set the machine-account quota to 0 where users have no need to join hosts (limits Certifried).
  • Treat the CA as Tier 0 infrastructure, with offline root CA and strict admin separation.

Common AD CS detection mistakes

  • No certificate-request auditing. Without Events 4886/4887, the entire attack surface is invisible.
  • Auditing requests but not the SAN. Enable the enhanced events that include it.
  • Hardening ESC1 but leaving web enrollment. ESC8 stays open.
  • Patching only the CA. Certifried needs both KDC and CA patched.

AD CS abuse detection checklist

  1. Enable AD CS audit Events 4886 and 4887 (enhanced, with SAN) on every CA.
  2. Alert on certificate requests where the SAN does not match the requester (ESC1).
  3. Alert on NTLM authentication to the web enrollment interface (ESC8).
  4. Audit all templates with Certipy/Locksmith/PSPKIAudit for ESC1–ESC16.
  5. Harden templates: no enrollee-supplied SAN, manager approval, no Any Purpose EKU.
  6. Enforce KB5014754 strong certificate binding (Full Enforcement).
  7. Remove web enrollment or enforce HTTPS + EPA; patch CVE-2022-26923 on CA and DC.
  8. Treat the CA as Tier 0; set machine-account quota to 0 where appropriate.

The takeaway

Detecting AD CS abuse means turning on certificate-request auditing (Events 4886/4887 with the SAN) and alerting on the ESC1 SAN mismatch and ESC8 web-enrollment relay, while hardening templates and enforcing strong certificate binding. Audit your own templates first. Continue with NTLM relay detection and Kerberoasting, or browse the full Detection Engineering pillar.

Training & tools referenced

Disclosure: Some links below are affiliate links. If you buy through them, darkpwn may earn a commission at no extra cost to you. We only recommend training and tools we actually use in our own lab, and affiliate links never influence editorial coverage.

  • TryHackMeAuthorized labs to practice Active Directory and AD CS attack detectionSecurity Training
    Start training

Frequently asked questions

What is AD CS abuse?

AD CS abuse exploits misconfigured Active Directory Certificate Services to escalate from a low-privileged user to Domain Admin. The SpecterOps "Certified Pre-Owned" research catalogued the paths as ESC1–ESC8 (now extended to ESC16). The most common, ESC1, lets a user request a certificate with an attacker-chosen Subject Alternative Name and authenticate as anyone. It maps to MITRE ATT&CK T1649.

How do you detect ESC1 and ESC8?

Enable AD CS audit Event IDs 4886 (certificate requested) and 4887 (certificate issued) — enhanced events now include the SAN, template, and requester. Alert on certificate requests where the requester supplies a SAN that does not match their identity (ESC1), and on NTLM authentication to the web enrollment interface (ESC8). Tools like Certipy, Locksmith, and PSPKIAudit audit the templates.

What is CVE-2022-26923?

CVE-2022-26923 ("Certifried", CVSS 8.8, CISA KEV) lets any domain user create a computer account, change its dNSHostName to a domain controller's, and request a certificate that impersonates the DC — a full domain takeover. Microsoft's fix adds a SID security extension; both the KDC and CA must be patched.

How do you prevent AD CS privilege escalation?

Harden certificate templates: disable enrollee-supplied subject names, require manager approval, remove the Any Purpose EKU, and restrict enrollment from low-privileged users. Enforce KB5014754 strong certificate binding (Full Enforcement), remove or harden web enrollment (HTTPS + EPA), and audit every template with Certipy or Locksmith.

Newsletter

Liked this breakdown?

Defensive security research — detection, hardening, and hardware — delivered when there is something worth saying. No spam, unsubscribe anytime.