Back to Blog
ADCSJune 3, 202614 min read

ESC1 Through ESC13: A Practical Remediation Roadmap for Enterprise ADCS

IP
InsecurePlanet Research
PKI & ADCS Security
Executive Summary

The ESC attack path framework, introduced by SpecterOps in 2021 and expanded through 2026, documents 13 distinct ADCS privilege escalation techniques. This article provides a prioritized remediation roadmap — ordered by exploitability and blast radius — with specific detection queries and fix guidance for each path.

Prioritization Framework

Not all ESC paths are equally dangerous or equally common. We prioritize remediation based on two factors: exploitability (how easy is it to exploit, given a low-privilege foothold?) and blast radius (what is the worst-case outcome?). Paths that are easy to exploit and lead to domain compromise are addressed first.

Tier 1: Immediate Remediation (ESC1, ESC8, ESC6)

ESC1 — Misconfigured certificate templates with enrollee-supplied Subject and low-privilege enrollment rights. Any domain user can request a certificate as any principal. Fix: remove enrollee-supplied Subject from templates that do not require it; restrict enrollment rights to specific security groups.

ESC8 — NTLM relay to ADCS HTTP enrollment endpoints. Fix: enable EPA on IIS, require HTTPS, disable NTLM on certsrv.

ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2 CA flag. Fix: run "certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2" on each CA and restart CertSvc.

Tier 2: High Priority (ESC2, ESC3, ESC4)

ESC2 — Any Purpose EKU or no EKU. Fix: audit all templates for Any Purpose EKU and remove it; ensure all templates have specific, minimal EKU sets.

ESC3 — Enrollment Agent template abuse. Fix: restrict Enrollment Agent templates to specific accounts; enable CA manager approval for Enrollment Agent certificate issuance.

ESC4 — Write permissions on certificate templates. Fix: audit template ACLs for non-admin write permissions; remove Write/FullControl from non-privileged accounts.

Tier 3: Medium Priority (ESC5, ESC7, ESC9–ESC13)

ESC5 through ESC13 cover a range of CA object ACL abuses, NTAuthCertificates manipulation, no-security-extension conditions, and ADCS DCOM interface abuse. These paths generally require more specific conditions or higher initial privileges, but should be addressed as part of a comprehensive ADCS hardening program.

Full remediation guidance for Tier 3 paths is included in the InsecurePlanet ADCS Security Checklist.

Why It Matters

ESC vulnerabilities are present in the majority of enterprise ADCS deployments. The SpecterOps research that documented these paths was published in 2021 — five years later, most environments remain unpatched. Automated tooling makes exploitation trivial. A single ESC1-vulnerable template in a large enterprise is sufficient for full domain compromise.

Recommended Actions
  1. 1Run Certipy find --vulnerable against your ADCS environment to enumerate all ESC conditions.
  2. 2Remediate Tier 1 paths (ESC1, ESC8, ESC6) immediately — these are the most commonly exploited.
  3. 3Schedule a Tier 2 remediation sprint within 30 days.
  4. 4Download the InsecurePlanet ADCS Security Checklist for complete Tier 3 guidance.
  5. 5Re-run Certipy after each remediation phase to verify fixes.
InsecurePlanet Take

The ESC framework is five years old. If your ADCS environment has not been audited against it, you are operating with known, exploitable vulnerabilities that are in every attacker's playbook. Start with Certipy find — it takes ten minutes and will show you exactly where you stand.

ADCSESC PathsRemediationHardening
Sources & References

InsecurePlanet provides original technical analysis based on the sources listed below. This article does not claim facts beyond the cited source material.

Security Brief

Get articles like this weekly

PKI advisories, ADCS updates, CISA KEV coverage, and Patch Tuesday analysis — every week.

Subscribe free
Free Resource

ADCS Security Checklist

24-page checklist covering ESC1–ESC13, CA hardening, CDP/OCSP, and enrollment endpoint security.

Download free
Advisory Services

Enterprise PKI advisory and ADCS assessment services are in preparation. Subscribe for updates when engagements open.

Service Updates Coming Soon