This CrowdStrike white paper examines how adversaries exploit misconfigured Active Directory Certificate Services (AD CS) templates, particularly ESC1 abuses, to escalate privileges within Active Directory environments. It highlights the persistent relevance of AD CS in passwordless authentication systems and warns of hybrid lateral movement risks to Microsoft Entra. The paper outlines forensic artifacts—such as key event logs and database entries—that help incident responders detect abuse. It also includes a quick reference guide to aid in identifying signs of certificate-based attacks.

Join for free to read