Active Directory Certificate Services: The Stealthy Escalation Path Hiding in Plain Sight

AD CS is deployed in virtually every enterprise Active Directory environment, yet it remains one of the most under-defended attack surfaces in identity security. While defenders focus on Kerberos abuse, credential theft, and lateral movement, attackers are quietly exploiting misconfigured certificate templates to forge identities, bypass authentication controls, and escalate straight to Domain Admin.

In this webinar, we'll cover how AD CS works, how certificate templates integrate deeply with Active Directory accounts and group policy, and why that tight integration makes misconfiguration so dangerous. Then security researcher Darryl Baker from Netwrix — specializing in identity security, adversary emulation, and detection strategy across Active Directory, Entra ID, and hybrid environments — takes over to demonstrate three escalation techniques that attackers are actively exploiting today:

• Domain escalation via misconfigured Subject Alternative Name settings (ESC1)

• Domain escalation via Certificate Request Agent abuse (ESC3)

• Domain escalation via overly permissive certificate template (ESC4)

For each technique, Darryl will break down the full attack chain, show defenders exactly what to look for, and walk through the protections and mitigations you can put in place before a routine certificate request becomes a full domain compromise.