The abuse of misconfigured Active Directory Certificate Services (AD CS) certificate templates has been a common method of privilege escalation for threat actors and red teams alike. Depending on the configuration of the certificate template, the impact of AD CS vulnerabilities can be devastating and lead to full domain compromise.
This white paper discusses the ESC1 certificate abuse technique, and the system artifacts and logs that can be used in both incident response and proactive engagements to help defenders develop detections and decrease the risk of AD CS abuse.
Author: Stephan Wolfert