Researchers and defenders warned that Active Directory Certificate Services (AD CS) can be abused to take over Windows domains through a combination of certificate misconfigurations and NTLM relay paths. SpecterOps documented multiple escalation techniques in its Certified Pre-Owned research, including vulnerable certificate templates, arbitrary Subject Alternative Name abuse, weak access controls, and relay attacks against AD CS web enrollment endpoints. The findings showed that attackers can obtain certificates usable for PKINIT or Schannel authentication, enabling privilege escalation, persistence that survives password resets, and in some cases creation of forged "golden certificates" if a CA private key is stolen.
The risk became more urgent as the PetitPotam attack chain demonstrated how coercing NTLM authentication from a domain controller and relaying it to AD CS could lead to complete domain compromise. SANS highlighted the issue as a path to domain admin, while Microsoft published advisory ADV210003 with mitigations rather than a security patch, recommending steps such as enabling Extended Protection for Authentication, requiring HTTPS on certificate enrollment endpoints, and reducing or disabling NTLM where possible. The combined disclosures showed that widely deployed AD CS environments could become a direct route to full Active Directory takeover if left misconfigured.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Rapid7 published analysis showing that the PetitPotam coercion technique could be chained with vulnerable AD CS configurations to fully compromise Windows domains running AD CS. The post connected the PetitPotam attack to the earlier AD CS NTLM relay research and explained how the combination enabled full domain takeover.
SANS Internet Storm Center published analysis describing an Active Directory Certificate Services public key infrastructure weakness that could lead to domain administrator compromise. The write-up amplified the practical security impact of the previously disclosed AD CS abuse techniques.
Microsoft published advisory ADV210003 covering mitigations for NTLM relay attacks against Active Directory Certificate Services. The guidance emphasized defensive configuration changes such as enabling protections around AD CS rather than shipping a direct security patch.
SpecterOps published research detailing multiple Active Directory Certificate Services misconfigurations and attack paths, including ESC1 through ESC8 and NTLM relay to AD CS web enrollment endpoints that could enable privilege escalation, persistence, and domain compromise. The researchers also released the PSPKIAudit defensive auditing tool and said Microsoft had recommended configuration-based mitigations rather than a security update.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
rapid7.com
Open sourceisc.sans.edu
Open sourcemsrc.microsoft.com
Open sourcespecterops.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.