Back to Blog
ADCSJune 16, 20268 min read

ESC8 NTLM Relay and ADCS Web Enrollment: Enterprise Exposure, Detection, and Mitigation

IP
InsecurePlanet Research
PKI & ADCS Security
Executive Summary

ESC8 is a documented Active Directory Certificate Services exposure pattern involving NTLM relay to vulnerable ADCS web enrollment endpoints. Organizations using Certificate Authority Web Enrollment, Certificate Enrollment Web Service, or related HTTP-based enrollment paths should assess whether their configuration is susceptible and apply appropriate mitigations.

What Is ESC8?

ESC8 is an ADCS attack path, documented by SpecterOps in the "Certified Pre-Owned" research paper (2021), that exploits the fact that ADCS Web Enrollment (certsrv) and Certificate Enrollment Service (CES) endpoints accept NTLM authentication by default. An attacker who can coerce NTLM authentication from a privileged account — such as a domain controller computer account — can relay that authentication to the ADCS HTTP endpoint and request a certificate on behalf of the coerced account.

Because domain controller computer accounts have enrollment rights on the "Domain Controller" and "Domain Controller Authentication" certificate templates by default, the attacker receives a valid DC certificate. That certificate can then be used to perform a Kerberos PKINIT authentication as the domain controller, obtain a TGT, and execute a DCSync attack to extract all domain credentials.

Current Threat Status

The ESC8 exposure pattern is publicly documented and remains relevant to enterprise ADCS security reviews. InsecurePlanet does not characterize current exploitation activity, threat-actor use, or campaign volume unless supported by a named and dated authoritative source.

The underlying technique — NTLM relay to ADCS HTTP enrollment endpoints — has been publicly described since the SpecterOps "Certified Pre-Owned" paper (June 2021) and is included in the ADCS security guidance published by Microsoft (KB5005413, August 2021). Organizations should treat ESC8 as a configuration risk to be assessed and remediated regardless of current exploitation reports.

Exposure Conditions

An environment is susceptible to ESC8 when all of the following conditions are present:

  • ADCS Web Enrollment (certsrv), Certificate Enrollment Web Service (CES), or Network Device Enrollment Service (NDES) is enabled and accessible over HTTP or HTTPS without Extended Protection for Authentication (EPA).
  • The CA has one or more certificate templates that allow enrollment by domain computer accounts — including the default "Domain Controller" and "Domain Controller Authentication" templates.
  • An attacker can coerce NTLM authentication from a privileged account (such as a domain controller computer account) using a coercion technique such as PetitPotam, PrinterBug, or DFSCoerce.
  • The attacker can relay that NTLM authentication to the ADCS enrollment endpoint before the authentication session expires.

Operational Impact

If all exposure conditions are met, an attacker with a network foothold — but no domain credentials — can obtain a certificate for a domain controller computer account. That certificate can be used with Kerberos PKINIT to authenticate as the domain controller and perform a DCSync operation, extracting all domain credential hashes.

The path from network foothold to domain credential extraction does not require any software vulnerability — only the presence of misconfigured ADCS enrollment endpoints and the absence of EPA enforcement.

Detection Opportunities

ESC8 exploitation generates several detectable signals. Defenders must have the appropriate logging configured in advance to capture them:

  • Event ID 4768/4769 — Kerberos TGT/TGS requests using certificate authentication (PKINIT) from unexpected accounts or source hosts. A domain controller computer account authenticating via PKINIT from a non-DC host is anomalous.
  • Event ID 4886 — Certificate Services received a certificate request. Review for DC computer account certificates requested from unexpected source hosts.
  • Event ID 4887 — Certificate Services approved and issued a certificate. Correlate with Event ID 4886 to identify anomalous issuances.
  • IIS logs on the CA server — NTLM-authenticated POST requests to /certsrv/certfnsh.asp originating from unexpected source IP addresses.
  • Network telemetry — NTLM authentication flows from DC computer accounts to non-DC hosts, followed by HTTP or HTTPS traffic to the CA enrollment endpoint.

Certificate Template Governance

ESC8 relies on the availability of templates that permit enrollment by domain computer accounts. Reviewing and restricting enrollment permissions on sensitive templates is a complementary control to EPA enforcement:

  • Audit enrollment permissions on the "Domain Controller" and "Domain Controller Authentication" templates — enrollment should be restricted to domain controllers only, not all domain computers.
  • Review all templates with "Domain Computers" or "Authenticated Users" in the enrollment ACL and assess whether broad enrollment rights are operationally required.
  • Enable Manager Approval on templates that issue high-privilege certificates as a defense-in-depth measure.
  • Use PSPKIAudit or Certify to enumerate templates with overly permissive enrollment ACLs across the entire ADCS deployment.

NTLM Hardening Considerations

Reducing the NTLM attack surface in the environment limits the coercion vectors that ESC8 depends on. These measures are complementary to — not a replacement for — EPA enforcement on ADCS endpoints:

  • Enable NTLM auditing (Event ID 4776) to establish a baseline of NTLM authentication activity before restricting it.
  • Consider restricting outbound NTLM from domain controllers using Group Policy (Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers).
  • Evaluate whether PetitPotam coercion paths can be blocked via firewall rules restricting MS-EFSRPC traffic from non-DC hosts.
  • Review whether the WebClient service is enabled on domain-joined hosts — it can be used as an alternative coercion path.

Enterprise Validation Steps

To assess whether your environment is susceptible to ESC8, verify the following:

  • Enumerate all CA servers and confirm which enrollment services are enabled: Web Enrollment (certsrv), CES, NDES, and CES-Policy.
  • For each enabled HTTP-based enrollment service, confirm whether EPA is enforced in IIS (Windows Authentication → Advanced Settings → Extended Protection = Required).
  • Confirm whether HTTPS is required for all enrollment endpoints — HTTP-only endpoints cannot enforce EPA effectively.
  • Run PSPKIAudit or Certify to enumerate templates with domain computer enrollment rights.
  • Review IIS logs on CA servers for unexpected NTLM-authenticated enrollment requests.
Why It Matters

ESC8 is a configuration exposure — not a software vulnerability — that requires no patch to remediate. The mitigations are well-documented and require no downtime. An environment with Web Enrollment enabled and EPA not enforced is susceptible to a complete domain credential extraction path from a network foothold. Assessing and remediating this exposure is a standard component of an ADCS security review.

Recommended Actions
  1. 1Enable EPA (Extended Protection for Authentication) on IIS for the certsrv and CES virtual directories — this is the primary mitigation for NTLM relay to ADCS endpoints. Guidance is in Microsoft KB5005413.
  2. 2Require HTTPS on all Web Enrollment endpoints and remove HTTP bindings — EPA is most effective when combined with HTTPS enforcement.
  3. 3If Web Enrollment is not operationally required, disable it entirely on the CA server via Server Manager → Remove Role Services.
  4. 4Enable ADCS audit logging: run "certutil -setreg CA\AuditFilter 127" on each CA and restart the CertSvc service to capture Event IDs 4886 and 4887.
  5. 5Deploy detection rules for Event ID 4886/4887 anomalies and PKINIT authentication (Event ID 4768 with pre-authentication type 16) from unexpected accounts or source hosts.
  6. 6Run PSPKIAudit or Certify to enumerate certificate templates with domain computer enrollment rights and review whether those rights are operationally necessary.
InsecurePlanet Take

ESC8 is a well-documented configuration exposure with a clear, low-disruption remediation path. Enabling EPA on ADCS enrollment endpoints and requiring HTTPS eliminates the relay vector. The mitigations have been available since Microsoft published KB5005413 in August 2021. If your ADCS Web Enrollment endpoints have not been reviewed against this guidance, an ADCS security assessment should include it as a priority item.

ADCSESC8NTLM RelayWeb Enrollment
Sources & References

InsecurePlanet provides original technical analysis based on the sources listed below. This article does not claim facts beyond the cited source material.

Certified Pre-Owned: Abusing Active Directory Certificate Services
SpecterOpsPublished: June 17, 2021Reviewed: June 16, 2026
PSPKIAudit: PowerShell module for auditing Active Directory Certificate Services
GhostPack (SpecterOps)Published: 2021Reviewed: June 16, 2026
Security Brief

Get articles like this weekly

PKI advisories, ADCS updates, CISA KEV coverage, and Patch Tuesday analysis — every week.

Subscribe free
Free Resource

ADCS Security Checklist

24-page checklist covering ESC1–ESC13, CA hardening, CDP/OCSP, and enrollment endpoint security.

Download free
Advisory Services

Enterprise PKI advisory and ADCS assessment services are in preparation. Subscribe for updates when engagements open.

Service Updates Coming Soon