Abusing Active Directory Certificate Services – Part One

This blog post demonstrates how misconfigured Active Directory Certificate Services (ADCS) certificate templates (notably the ESC1 condition) can allow low-privileged users to request certificates for arbitrary domain accounts, escalate to Domain Administrator, and maintain long-lived persistence due to multi-year certificate validity; it provides hands-on examples using Certipy to discover vulnerable templates, request certificates (including Kerberos and SID workarounds), extract credential hashes and Kerberos tickets, and recommends mitigations and monitoring (restrict template permissions, require manual approval, disable "Enrollee Supplies Subject", monitor event IDs 4886/4887/4768).