What is the final impact of this kill-chain?

The final step lands on Find vulnerable template (AD-ESC1), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

ADCS ESC1 → Domain Admin

A low-priv domain user discovers a certificate template that lets enrollees supply an arbitrary subjectAltName, enrolls a cert as Administrator, and authenticates via PKINIT.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Low-priv domain user

T1078 · Valid Accounts

Lateral Movement

Kerberos auth with cert (PKINIT)

T1550.003 · Pass the Ticket

certipy auth -pfx administrator.pfx → TGT and NT hash for Administrator.

Credential Access

DCSync as Administrator

T1003.006 · DCSync

Credential Access

Request cert with SAN=Administrator

AD-ESC1 · ADCS ESC1 — Misconfigured Template (SAN)

certipy req -u <user>@<dom> -p <pw> -ca <ca> -template <vuln_template> -upn administrator@<dom>

Credential Access

Find vulnerable template

AD-ESC1 · ADCS ESC1 — Misconfigured Template (SAN)

certipy find -u <user>@<dom> -p <pw> -dc-ip <dc> -vulnerable

§ Context

Assumed environment: ADCS is deployed; at least one published cert template has 'Enrollee supplies subject' enabled, EKU = Client Authentication, and Domain Users have Enroll rights. PKINIT is enabled on the DC.

§ Steps

01
Low-priv domain userInitial Access
T1078— Valid Accounts
02
Kerberos auth with cert (PKINIT)Lateral Movement
T1550.003— Pass the Ticket
certipy auth -pfx administrator.pfx → TGT and NT hash for Administrator.
03
DCSync as AdministratorCredential Access
T1003.006— DCSync
04
Request cert with SAN=AdministratorCredential Access
AD-ESC1— ADCS ESC1 — Misconfigured Template (SAN)
certipy req -u <user>@<dom> -p <pw> -ca <ca> -template <vuln_template> -upn administrator@<dom>
05
Find vulnerable templateCredential Access
AD-ESC1— ADCS ESC1 — Misconfigured Template (SAN)
certipy find -u <user>@<dom> -p <pw> -dc-ip <dc> -vulnerable

§ References

T1078Valid Accounts
T1550.003Pass the Ticket
T1003.006DCSync

§ Frequently asked

What is the "ADCS ESC1 → Domain Admin" attack path?: A low-priv domain user discovers a certificate template that lets enrollees supply an arbitrary subjectAltName, enrolls a cert as Administrator, and authenticates via PKINIT. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Low-priv domain user (T1078) — a initial access primitive. Assumed environment: ADCS is deployed; at least one published cert template has 'Enrollee supplies subject' enabled, EKU = Client Authentication, and Domain Users have Enroll rights.
What is the final impact of this kill-chain?: The final step lands on Find vulnerable template (AD-ESC1), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

ADCS ESC1 → Domain Admin

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

mitm6 IPv6 SLAAC → NTLM relay → DA

ADCS ESC11 → certificate via RPC (no web enrollment)

PetitPotam + ADCS ESC8 → Domain Controller takeover

Unconstrained delegation → Capture DC TGT → DCSync

Citrix Bleed → steal authenticated session → MFA bypass

Shadow Credentials → PKINIT → NT hash