Identity research is now focusing on AD CS attack paths

At a glance

What this is: Netwrix is using its research program to shape controls for AD CS attack paths, certificate template abuse, and adjacent identity attack surfaces.

Why it matters: IAM, NHI, and security teams should treat certificate services and identity platforms as escalation paths that require governance, detection, and policy enforcement, not just hardening.

By the numbers:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Netwrix's analysis of AD CS attack paths and identity research

Context

AD CS certificate templates are identity infrastructure, not just PKI plumbing. When a template allows a subject alternative name or enrolment path that can be abused, the result is often privilege escalation from ordinary authenticated access into higher-value identity control.

That matters because identity programmes already struggle to govern non-human and machine credentials with clear lifecycle controls. The same governance mindset used for service accounts, tokens, and workload identities also applies to certificate templates, which can become a durable path into domain-level access when misconfigured.

Key questions

Q: What breaks when certificate templates allow unsafe enrollment and identity stamping?

A: When templates allow broad enrollment or identity stamping, ordinary authenticated users can convert a routine certificate request into a trusted authentication artifact. That breaks the assumption that issuance only reflects approved identity binding. The result is privilege escalation through a channel that often looks legitimate to the certificate authority but bypasses the intended access boundary.

Q: Why do misconfigured certificate services increase lateral movement and escalation risk?

A: Misconfigured certificate services increase risk because certificates can outlive the request session and function as durable credentials. If template permissions are too broad, an attacker can use a low-privilege foothold to mint identity material that enables higher privilege access. That turns the certificate authority into an escalation bridge instead of a trust boundary.

Q: How should teams govern certificate templates as part of identity security?

A: Teams should govern certificate templates like privileged identity assets. That means named ownership, explicit business justification, permission review, change control for identity-mapping fields, and policy checks on enrollment metadata. If a template can alter who a certificate represents, it belongs inside identity governance and privileged access review processes.

Q: Which frameworks apply to AD CS template abuse and identity escalation?

A: The most relevant frameworks are NIST Cybersecurity Framework 2.0 for access governance, OWASP-NHI for non-human credential and privilege control patterns, and NIST Zero Trust Architecture for limiting trust in issued identity artifacts. Together they support review of enrollment rights, privilege boundaries, and continuous validation.

Technical breakdown

How AD CS template abuse turns enrollment into escalation

Active Directory Certificate Services lets organisations issue certificates from templates that define who can enrol, what identity fields can be stamped, and which authentication uses are permitted. In classic ESC1 and ESC3-style abuse, an attacker with ordinary authenticated access finds a template that allows dangerous subject control or broad enrolment, then requests a certificate that can be used for higher privilege authentication. The problem is not certificate issuance itself. The problem is that enrollment rules, identity mapping, and template permissions can combine into an escalation path that looks legitimate to the CA while bypassing intended privilege boundaries.

Practical implication: review certificate template permissions and identity-mapping rules as access controls, not just PKI settings.

Why blocking suspicious SAN and UPN stamping matters

A common abuse pattern is to request a certificate while supplying a user principal name in the subject alternative name extension so the resulting certificate maps to a different identity. That is especially dangerous when the request can be automated with tools such as Certify.exe and the template does not constrain who can request, what can be stamped, or how the certificate is validated. Once issued, the certificate may function as a durable authentication artifact. In other words, the dangerous moment is not only issuance. It is the combination of permissive request metadata and insufficient validation at enrollment time.

Practical implication: apply policy controls that block suspicious SAN and UPN stamping before certificate issuance succeeds.

Why identity research now includes Entra ID and virtualization paths

The article shows a broader identity security pattern. Modern identity research is expanding beyond classic directory attack paths into cloud identity components, preview services, and virtualization platforms because attackers follow trust relationships, not product boundaries. Entra ID, AD CS, and platform-native identity components can each become stepping stones if their enrolment, assessment, or delegated access models are loosely governed. For practitioners, this means the attack surface is now a graph of identities and trust edges, not a set of isolated systems.

Practical implication: extend attack-path analysis across directory, cloud identity, and virtualization domains in one governance model.

Threat narrative

Attacker objective: The attacker’s objective is to convert low-privilege authenticated access into trusted certificate-backed privilege escalation and domain control.

1. entry: An attacker starts with authenticated access and targets a certificate template that allows dangerous enrollment or identity stamping.
2. escalation: The attacker abuses the template to obtain a certificate that maps to a higher-privilege identity, such as a domain-admin-capable context.
3. impact: The issued certificate becomes a trusted authentication artifact that can support broader domain compromise and persistence.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Certificate templates are identity policy objects, not infrastructure defaults. The article reinforces that the real control surface in AD CS is the template, because enrolment rights, subject stamping, and authentication mapping determine whether issuance is safe or escalation-ready. When those settings drift, the certificate authority becomes an identity escalation engine rather than a trust service. Practitioners should treat template review as part of identity governance, not as an isolated PKI task.

Misconfigured certificate enrollment creates identity blast radius. The dangerous feature is not one specific attack tool. It is the ability for ordinary authenticated users to convert a normal request into a high-value authentication token through permissive template logic. That shifts the security problem from perimeter defence to entitlement design, where the blast radius expands whenever template scope is broader than the identity it is meant to serve. The conclusion is clear: certificate governance must be scoped like privileged access.

Identity research is widening because attack paths now cross directory, cloud, and platform layers. The article’s move from AD CS into Entra ID and virtualization shows that attackers are not staying inside one identity domain. They are following trust edges across environments, which means governance teams need a graph view of identity dependencies. A narrow control view misses the path composition that makes escalation possible, so practitioners should assess cross-domain identity exposure as a single problem space.

Ephemeral policy enforcement is becoming a necessary pattern for identity abuse prevention. The new ADCS Lockdown policy is a good example of blocking a dangerous action at request time rather than relying on later detection. That design matters because certificate abuse is often low-noise once a template is reachable, and post-issuance cleanup may be too late. The practitioner takeaway is to shift from audit-only visibility to prevention at the point where request metadata becomes trusted identity.

AD CS attack paths expose a broader governance gap in lifecycle oversight. The same discipline that governs NHI offboarding and entitlement recertification should apply to certificate templates, because standing request rights can persist long after the business justification is gone. That is why this class of issue belongs in identity governance, not just security engineering. Teams should think in terms of lifecycle, ownership, and review cadence for templates and enrollment permissions.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Carry that same governance logic into certificate templates, because privileged identity artifacts need lifecycle control just as much as API keys do, as described in the Ultimate Guide to NHIs.

What this signals

Certificate abuse belongs in the same governance conversation as NHI privilege sprawl. When identity artifacts can be minted or mapped into higher privilege, the programme failure is rarely technical alone. It is a governance gap in review cadence, ownership, and trust boundaries, which is why identity teams should assess template and entitlement scope together.

With 97% of NHIs carrying excessive privileges, according to the Ultimate Guide to NHIs, the broader signal is that identity teams are still over-trusting durable credentials and issued artifacts. Certificate governance, workload identity, and service account oversight need to converge around the same entitlement discipline.

Identity blast radius: any control that can mint or map trust to a stronger identity should be treated as a privileged path. That means AD CS, cloud identity components, and platform-native enrollment flows should be assessed as one attack graph rather than three separate tools.

For practitioners

• Inventory certificate templates with escalation potential Identify every template that allows broad enrolment, subject alternative name control, or identity mapping changes. Rank them by the privilege they can reach, then review ownership and business justification on a recurring basis.
• Block dangerous request metadata at enrollment time Use policy enforcement to reject suspicious SAN and UPN stamping before a certificate is issued. Focus on templates where automated request tooling could turn an ordinary enrollment into a privileged authentication artifact.
• Treat certificate templates as governed identity assets Assign an owner, document the intended identity binding, and require change control for template edits that affect authentication or enrolment scope. This prevents templates from drifting into unintended privilege paths.
• Extend attack-path analysis into cloud identity and virtualization Map how Entra ID components, directory services, and virtualization platforms can chain together in the same escalation graph. Review trust relationships where one identity control can be used to reach another.

Key takeaways

• AD CS template abuse turns identity issuance into a privilege-escalation path when enrollment and mapping rules are too broad.
• The scale of the problem is governance, not just tooling, because certificate services can become trusted attack paths once template scope drifts.
• Teams should treat certificate templates, SAN stamping, and identity-mapping rules as privileged controls that require ownership, review, and policy enforcement.

Key terms

• Certificate Template Abuse: Certificate template abuse happens when an attacker or misconfiguration turns a normal enrollment template into a path for stronger identity than intended. In practice, the template controls who can request, what identity data can be stamped, and whether the resulting certificate can be used for elevated authentication.
• Subject Alternative Name Stamping: Subject alternative name stamping is the practice of placing identity attributes, such as a user principal name, into a certificate request or issued certificate. When it is not tightly constrained, it can let a certificate map to an identity that differs from the requester, creating escalation risk.
• Identity Blast Radius: Identity blast radius is the amount of access or trust that can be reached if one identity control is abused. In certificate environments, a broad template or permissive mapping rule can turn a single issuance path into domain-wide impact because the certificate becomes a trusted authentication artifact.
• Enrollment Rights: Enrollment rights are the permissions that determine who can request a certificate from a template. They are a governance control, not just a technical setting, because overly broad rights can let ordinary users obtain credentials that were never meant to support privileged access.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Netwrix: Introduction to Netwrix's Security Research. Read the original.