Threat Research Center Threat Research Malware Malware Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools 14 min read Related Products Cortex Cortex Cloud Cortex XDR Cortex XSIAM Unit 42 Incident Response By: Stav Setty Tom Fakterman Shachar Roitman Published: May 11, 2026 Categories: Malware Threat Research Tags: Active Directory AD CS attacks Certificate template Certipy ESC1 Fighting Ursa Microsoft PKI Shadow credentials Share Executive Summary Active Directory Certificate Services (AD CS) is a foundational component of Windows enterprise infrastructure, responsible for managing public key infrastructure (PKI) and issuing certificates that enable authentication and encryption across networks. Despite its critical role in the enterprise identity infrastructure, AD CS is often undermined by insecure default configurations and design complexities, resulting in exploitable attack surfaces. Due to misconfigured templates and overly permissive enrollment rights, AD CS has emerged as a high-impact, under-monitored vector for privilege escalation and unauthorized identity impersonation in modern environments. Unlike traditional vulnerability exploitation, AD CS attacks rarely rely on zero-day vulnerabilities or malware. Instead, adversaries misuse native certificate issuance to impersonate privileged accounts, escalate privileges and establish persistence. Unit 42 observations and industry reporting show that these weaknesses are actively exploited by both financially motivated ransomware groups and state-sponsored actors . We provide a technical deep-dive into advanced AD CS exploitation, including certificate template misconfigurations and shadow credential misuse. Our findings present a comprehensive breakdown of the attacker’s toolkit and their evolving operational behaviors. By studying behavioral analytics, event log correlation and linking offensive techniques to actionable telemetry, it is possible to create dynamic and comprehensive detection strategies. Our detection methods reveal patterns and methods that extend beyond traditional signature-based approaches. We aim to provide defenders with unique ways to uncover stealthy AD CS abuse and address a persistent gap in enterprise security. Cortex XDR and XSIAM customers are protected from this activity with Cortex User Entity Behavior Analytics (UEBA ) and Cortex Cloud Identity Security . If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team . Related Unit 42 Topics Active Directory , Fighting Ursa, Microsoft Introduction: The Critical Role (and Risk) of AD CS AD CS is the backbone of enterprise public key infrastructure ( PKI ). At its core is the certificate authority ( CA ), the service responsible for issuing and managing digital certificates . These certificates are cryptographic identity cards that prove that a user, device or service is what it claims to be. Organizations rely on AD CS for: User authentication : Certificates enable single sign-on and client authentication across services Service authentication : Internal services and domain controllers validate identity using PKI Encryption : Certificates underpin secure communications within and outside the enterprise The same capabilities that make AD CS indispensable also create risk. To manage certificate issuance, AD CS uses certificate templates , which define who can request certificates, what they can be used for, and the permissions required. When misconfigured, these templates may grant long-lived authentication or privileged access, effectively providing complete control over a network. Certificate issuance is an expected administrative function that often appears as normal network activity. This makes AD CS a powerful adversarial tool, because exploitation frequently evades detection. In the AD CS issuance workflow, the CA issues certificates according to the policies defined in certificate templates, and users and services use the resulting certificates for authentication and encryption. Figure 1 illustrates this flow. Figure 1. PKI architecture showing CA → Templates → Certificates → Users and Services. For additional background on AD CS fundamentals, see Detecting AD CS Abuse . Ongoing Exploitation and Blind Spots Despite years of research highlighting AD CS risks, certificate services remain a significant attack surface. Key contributing factors include: Widespread misconfigurations : Organizations often deploy AD CS with default or overly permissive settings. Complexity breeding mistakes : Consistently securing each configuration surface is a daunting task when combined with the need to manage dozens of certificate templates, enrollment policies and delegated permissions. Because certificate services support critical authentication workflows, security teams can be hesitant to modify legacy templates or tighten permissions, for fear of disrupting production systems. Limited monitoring : Few tools natively detect certificate misuse. Recent incident response investigations show attackers leveraging AD CS to escalate from low-privileged accounts to full domain dominance. Exploiting certificate services is no longer rare; it has become a standard step in sophisticated intrusions. In August 2024, Rapid7 described a social engineering campaign in which attackers attempted to escalate privileges by exploiting CVE-2022-26923 . This vulnerability allows a lower-privileged user to elevate their privileges by acquiring a certificate from the AD CS. The attackers tried to exploit it by dropping and executing a file named update6.exe . Figure 2 shows a Cortex XDR alert that is triggered when update6.exe attempts to exploit CVE-2022-26923. The alert highlights a mismatch between the requesting machine and the issued certificate’s identity — a behavioral signal that is consistent with certificate-based privilege escalation. These inconsistencies can reveal AD CS abuse even when no malware signatures are present. Figure 2. An alert on the detection and prevention of CVE-2022-26923, as seen in Cortex XDR. Phase Breakdown: How AD CS Attacks Work The AD CS exploitation lifecycle typically encompasses five phases: Initial access : Compromising low-privileged accounts via phishing, credential theft or other vectors Discovery : Enumerating CA servers, certificate templates, enrollment permissions and account keys Exploitation : Misusing misconfigured templates to request certificates or register cryptographic keys for privileged accounts Privilege escalation and lateral movement : Using certificates or keys with public key cryptography for initial authentication ( PKINIT ) to request Kerberos tickets and impersonate privileged users Persistence : Maintaining access through shadow credentials , key trust misuse and certificate renewal Figure 3 illustrates this sequence of operations, demonstrating how AD CS acts as a force multiplier that turns a single compromised account into long-term access across an enterprise. Figure 3: AD CS attack lifecycle diagram. Deep Dive: Key AD CS Attack Techniques​​ The key adversarial tactics, techniques and procedures (TTPs) that target AD CS include certificate template misconfigurations and shadow credential abuse. Certificate Template Misuse and Misconfigurations Certificate templates define how AD CS issues certificates, including who can request them and what privileges the certificates grant. Exploiting misconfigurations in certificate templates is one of the most common ways that attackers escalate privileges. Common misconfigurations include: Low-privileged users allowed to enroll in high-privileged templates: This effectively lets attackers mint authentication certificates for accounts that they should not control Dangerous template flags enabled: For example, the “Supply in the request” option ( ENROLLEE_SUPPLIES_SUBJECT ) lets the requester define the certificate subject in the certificate signing request (CSR), enabling impersonation Broad group enrollment rights: Assigning rights to groups like Domain Users or Authenticated Users allows any authenticated user to abuse certificate enrollment Figure 4 highlights a dangerous template configuration that allows the requester to supply the subject, enabling account impersonation. Figure 4. Template setting with the “Supply in the request” ( ENROLLEE_SUPPLIES_SUBJECT ) specification enabled. ESC1 Walkthrough In their 2021 Certified Pre-Owned: Abusing Active Directory Certificate Services [PDF] whitepaper, SpecterOps researchers Will Schroeder and Lee Christensen identified and categorized eight primary AD CS escalation techniques, designated ESC1 through ESC8. Since then, several additional ESC techniques have been discovered. ESC1 stands out as the most consistently observed and widely utilized escalation method. This technique exploits template vulnerabilities, enabling low-privileged users to request certificates as high-privileged accounts. An ESC1 attack can be conducted when a certificate template is configured with the following settings: Low-privileged users have enrollment rights Requesters can specify a subject alternative name (SAN) ( ENROLLEE_SUPPLIES_SUBJECT ) Manager approval is disabled No authorized signatures are required The enhanced key usage ( EKU ) allows authentication — for example, Client Authentication A typical ESC1 attack begins with an adversary enumerating available certificate templates using tools such as Certify or Certipy to identify misconfigurations. Once a vulnerable template is discovered, the attacker submits a certificate request impersonating a high-privileged account. The issued certificate can then be used to authenticate to services or obtain Kerberos tickets as the target account, resulting in privilege escalation. Figure 5 shows output from Certipy, a Python tool used to enumerate certificate templates and exploit misconfigurations, highlighting flags that enable the ESC1 attack path. Figure 5