Investigating Active Directory Certificate Services Abuse: ESC1

The abuse of misconfigured Active Directory Certificate Services (AD CS) certificate templates has been a common method of privilege escalation for threat actors and red teams alike. Depending on the configuration of the certificate template, the impact of AD CS vulnerabilities can be devastating and lead to full domain compromise.

This white paper discusses the ESC1 certificate abuse technique, and the system artifacts and logs that can be used in both incident response and proactive engagements to help defenders develop detections and decrease the risk of AD CS abuse.

Author: Stephan Wolfert

TECHNICAL CENTER

  • OS icon
  • deployment icon
  • installation icon

For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Center.

Visit the Tech Center