AD-ESC1Credential Access

ADCS ESC1 — Misconfigured Template (SAN)

Vulnerable cert template allows the enrollee to supply an arbitrary subjectAltName, issuing a cert that authenticates as any user.

§ Where this technique fits

AD-ESC1 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

ADCS ESC1 → Domain Admin
A low-priv domain user discovers a certificate template that lets enrollees supply an arbitrary subjectAltName, enrolls a cert as Administrator, and authenticates via PKINIT.
step 2 / 5

§ What commonly comes next

01
Pass the Ticket
T1550.003 · Lateral Movement
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

ADCS ESC1 → Domain Admin

§ What commonly comes next