Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools

This Unit 42 report details how attackers exploit misconfigured Active Directory Certificate Services (AD CS) — through vulnerable certificate templates (ESC1 and related techniques), PKINIT/key-trust misuse, and shadow credentials — to escalate privileges, impersonate high-privilege accounts, and maintain stealthy persistence. The report catalogs commonly used open-source tools (Certify, Certipy, PKINIT tools, Whisker/pyWhisker), provides detection strategies (Windows Event IDs, LDAP query monitoring, and Cortex XDR/XSIAM alerts), and highlights real-world usage by ransomware and state-sponsored actors, urging stronger template hygiene and behavioral detections.