ADCS ESC4: Certificate Template Write Privilege Escalation — Detection and Remediation
ESC4 is an ADCS attack path where a low-privileged user with Write or WriteDACL permissions on a certificate template can modify the template to introduce ESC1 conditions — enabling enrollment of certificates usable for domain administrator authentication. This is a configuration vulnerability, not a software bug. It exists in most enterprise ADCS deployments and requires no patch — only an ACL audit.
What Is ESC4?
ESC4 exploits misconfigured Write permissions on Active Directory certificate template objects. When a low-privileged user or group has Write, WriteDACL, or WriteOwner permissions on a template object in Active Directory, they can modify the template's attributes — including the Subject Name flags, Extended Key Usages, and enrollment permissions.
An attacker with these permissions can modify a template to allow enrollee-supplied Subject Names and grant Domain Users enrollment rights, effectively creating ESC1 conditions on demand. They can then enroll a certificate as any domain principal, including Domain Admins, and use it for Kerberos PKINIT authentication.
Who Is Affected
ESC4 conditions exist when any of the following are true on a certificate template:
- Domain Users, Authenticated Users, or Domain Computers has Write, WriteDACL, or WriteOwner on the template object in AD.
- A service account or help desk account used for enrollment operations has been granted Write permissions on templates.
- The template was created by copying an existing template without reviewing the inherited ACL.
- Third-party PKI management tools have been granted broad Write access to template objects.
Detection
Monitor for the following indicators of ESC4 exploitation:
- Event ID 4899 — A Certificate Services template was changed. Any unexpected template modification should be investigated immediately.
- Event ID 4900 — Certificate Services template security was updated. Correlate with the modifying account.
- AD audit logs — unexpected ACL changes on certificate template objects in CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration.
- Run PSPKIAudit or Certify to enumerate templates with non-admin Write permissions.
Remediation
Audit all certificate templates for non-admin Write permissions. The following PowerShell snippet uses PSPKIAudit to enumerate vulnerable templates:
# Install PSPKIAudit
Install-Module -Name PSPKIAudit
# Find templates with ESC4 conditions
Get-PKIAuditTemplates | Where-Object { $_.ESC4 -eq $true } | Select-Object Name, ESC4, ACLESC4 is a configuration vulnerability that exists silently in most enterprise ADCS deployments. It requires no exploit code — just knowledge of which templates have misconfigured ACLs. An attacker with a domain foothold and access to Certify or Certipy can enumerate ESC4 conditions in seconds. The fix is an ACL audit, not a patch.
- 1Run PSPKIAudit or Certify to enumerate all certificate templates with non-admin Write permissions.
- 2Remove Write/WriteDACL/WriteOwner permissions from non-admin principals on all certificate templates.
- 3Enable Manager Approval on sensitive templates as a defense-in-depth measure.
- 4Enable ADCS audit logging: "certutil -setreg CA\AuditFilter 127".
- 5Monitor Event ID 4899 and 4900 for unexpected template modifications.
ESC4 is the silent killer in enterprise PKI. It requires no software vulnerability — just a misconfigured ACL that was probably set years ago and never reviewed. Run PSPKIAudit today. If you find ESC4 conditions, treat it as a critical finding and remediate immediately.
InsecurePlanet provides original technical analysis based on the sources listed below. This article does not claim facts beyond the cited source material.
