Skip to main content

The Vilkas Wire

ESC8 in AD CS Explained: How NTLM Relay to Web Enrollment Leads to Domain Compromise

Mar 24, 2026 · By Ben Rollin

Defender Tips
ESC8 AD CS Attack

Active Directory Certificate Services (AD CS) is supposed to strengthen security through certificates, but a misconfiguration (really, the default configuration) enables an attack called ESC8. This attack allows attackers to abuse AD CS's web enrollment endpoints and escalate to full domain compromise. We see this attack quite often during internal penetration tests and Active Directory Security Assessments, in both hardened environments and environments that have recently deployed a new AD CS Certificate Authority (CA) server without reviewing the defaults.

What Is the ESC8 Attack?

ESC8, or NTLM Relay to AD CS HTTP Endpoints, is possible when AD CS's web-based enrollment services (such as the classic Web Enrollment page, Certificate Enrollment Services, or Network Device Enrollment Service) accept NTLM authentication without proper protections.

Attackers can abuse this by relaying an NTLM authentication attempt to these endpoints and requesting a certificate that impersonates a user or machine account. With that certificate, they've stolen the account's identity and can act on their behalf. The most common attack chain is obtaining a certificate for the machine account of a domain controller host. This certificate can then be used to authenticate as that account and perform an attack called DCSync, which abuses built-in replication permissions on domain controllers to obtain NTLM password hashes for all users in the domain. The attack is quick and relatively easy to perform with readily available open-source tooling, leads to domain compromise, and is very often undetected.

Why It's Dangerous

Unlike many NTLM relay attacks, ESC8 is particularly dangerous because:

  1. Persistent Access: Certificates remain valid long after the NTLM session ends, enabling long-term account impersonation.
  2. Protocol Agnostic: With the certificate in hand, an attackers can authenticate using Kerberos, or Schannel, bypassing many NTLM restrictions.
  3. Privilege Abuse: If the relayed account is a Domain Controller or Exchange server, attackers can use the resulting certificate to replicate directory data or escalate to Domain Admin.

How ESC8 is Exploited

  1. Wait or Coerce Authentication: Attackers either wait for a privileged account to connect to them, or they force it, using coercion techniques like the "printer bug" or PetitPotam.

  2. Relay the Authentication: Instead of sending the NTLM challenge to its intended destination, the attacker relays it to the AD CS web enrollment endpoint.

  3. Request a Certificate: The attacker requests a client authentication certificate as the victim account.

  4. Persist and Escalate: With that certificate, the attacker can log in as the victim account as long as the certificate is valid (which could potentially be years), request Kerberos tickets, or even obtain NTLM hashes that can be used for pass-the-hash or offline password cracking attempts to obtain the clear text password value.

Real-World Scenarios

  • From Machine to Domain Compromise: A single vulnerable server running the print spooler service can be coerced into authenticating, this authentication attempt is reelayed to AD CS, which can yield a certificate for that machine account. If that machine has elevated rights (like domain replication), the attacker now owns the domain.

  • Zero to Domain Admin with PetitPotam: If the PetitPotam vulnerability is unpatched in the environment, it can be used coerce domain controller authentication without requiring valid credentials. This is a fast one-shot domain compromise that we see from time to time, but ESC8 typically requires at least low-privileged AD credentials, as the PetitPotam patch is rarely missing nowadays.

Preventing and Remediating ESC8

To defend against ESC8, IT administrators and security teams can take several key steps:

Immediate Preventive Measures

  • Disable AD CS HTTP endpoints if they are not required for day-to-day operations.
  • Enable HTTPS with Extended Protection for Authentication (EPA) on AD CS enrollment endpoints. This enforces channel binding and breaks NTLM relaying.
  • Disable NTLM authentication wherever possible, particularly for enrollment services.
  • Restrict outbound NTLM to reduce opportunities for relays.
  • Audit certificate templates to ensure they don't allow unnecessary client authentication or domain computer enrollment.

Additional Mitigation Guidance

  • Refer to Microsoft KB5005413 for detailed vendor recommendations.
  • Consider implementing RPC filters to block the remote interface UUIDs exploited by common coercion tools.
  • Monitor certificate issuance logs for unusual enrollments, especially involving Domain Controllers or Exchange servers.

Impact on the Environment

Implementing these mitigations may cause short-term disruption:

  • Deploying HTTPS requires SSL certificates and careful endpoint configuration.
  • Limiting access to enrollment services may affect legacy workflows.
  • Stronger authentication could require user reconfiguration or reauthentication.

However, the security gains far outweigh the inconvenience. Without remediation, ESC8 remains an open door to complete Active Directory takeover.

Closing Thoughts

ESC8 is a prime example of how a single overlooked configuration can lead to full compromise in minutes. With these types of attacks, attackers don't need advanced exploits; they can just abuse what's already there.

For organizations running AD CS, defending against ESC8 is critical. It's not an edge-case attack, but rather a well-documented, low-barrier-to-entry, highly impactful attack chain that adversaries and penetration testers alike continue to use successfully.

While checking your environment for conditions that enable the ESC8 attack, it's also worth learning about two other key AD CS attacks we commonly encounter: ESC1 and ESC4. At the time of writing, there are 16 known AD CS ESC attack vectors. ESC1, ESC4, and ESC8 are the ones we most commonly encounter during internal penetration tests.

Our Active Directory Security Hardening & Hygiene Checklist covers the most common issues we see during internal assessments and how to properly address them.

Have a question about this article or a security challenge of your own?

Vilkas Cybersecurity helps organizations uncover and fix identity-driven attack chains. Fill out the form, and we'll get back to you shortly.

Loading form…
← Back to Blog
Share on XShare on LinkedIn