01 ‐ Introduction

Active Directory Certificate Services (AD CS) is Microsoft's on-premises Public Key Infrastructure (PKI) solution for issuing and managing digital certificates within Active Directory environments. These certificates support critical functions such as file encryption, digital signatures, and authentication (e.g., smart card logon or TLS/SSL for servers). Because AD CS can issue password-equivalent credentials - certificates that allow access as a user or computer - a compromised Certificate Authority (CA) or misconfigured Certificate Template can be as impactful as a Domain Controller breach. For this reason, AD CS components are considered Tier-0 assets.

In 2021, SpecterOps published the "Certified Pre-Owned" whitepaper, revealing multiple AD CS misconfigurations that enable privilege escalation and domain persistence. These were categorized as ESC1 through ESC8 (Escalation abuse cases). Since then, the list has expanded to ESC16, with new techniques introduced by other researchers. These ESCs demonstrate how subtle flaws in AD CS can be abused to gain elevated privileges - often up to Domain Admin - or maintain covert access. This has led to increased attention on AD CS security, a component traditionally overlooked in many environments.

Certipy, developed by @ly4k, is a comprehensive toolkit for enumerating, identifying, and exploiting AD CS misconfigurations. It automates the discovery of vulnerable CAs and templates, streamlining attacks involving ESCs, certificate requests over multiple protocols, NTLM relays to AD CS, certificate-based authentication, persistence, and more. Certipy supports exploitation and identification for all known ESC techniques (ESC1-ESC16). However, some are only supported in post-exploitation scenarios, and a few are not identified due to their vague definitions or graph-based nature. For a detailed breakdown of techniques, see the Privilege Escalation page.

While Certipy is effective for AD CS-specific abuse, combining it with BloodHound provides broader attack path analysis. BloodHound offers deeper visibility into AD relationships and is particularly useful for ESCs that are vaguely defined or graph-based in nature, such as ESC5, ESC13, and ESC14. For instance, Certipy can identify templates vulnerable to ESC13 - which involve certificate templates with issuance policies linked to privileged groups via OID group links - but it does not map out the privileges obtained from that group link, as this requires contextual analysis of group memberships and permissions.

If you're looking for a starting point, the Resources page contains a curated list of original research, documentation, and key resources. It serves as both an introduction to AD CS abuse and a reference for deeper exploration - including several honorable mentions for their exhaustive technical documentation. While many entries focus on exploitation, most also include guidance on hardening and mitigation.

Tip

The Terminology page is also a great place to start and can serve as a helpful reference as you navigate the rest of this wiki.