AD CS attack paths and identity research: what teams should watch

TL;DR: Certificate governance and identity research must now treat misconfiguration as an active privilege-escalation surface, not just a configuration issue, according to Netwrix. Its Security Research team is building Threat Prevention 8.0 controls for AD CS attack paths, including blocking suspicious certificate template enrollments and follow-on escalation patterns, while also expanding coverage into Entra ID, virtualization, and common identity attack education.

NHIMG editorial — based on content published by Netwrix: Introduction to Netwrix's Security Research

By the numbers:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: What breaks when certificate templates allow unsafe enrollment and identity stamping?

A: When templates allow broad enrollment or identity stamping, ordinary authenticated users can convert a routine certificate request into a trusted authentication artifact.

Q: Why do misconfigured certificate services increase lateral movement and escalation risk?

A: Misconfigured certificate services increase risk because certificates can outlive the request session and function as durable credentials.

Q: How should teams govern certificate templates as part of identity security?

A: Teams should govern certificate templates like privileged identity assets.

Practitioner guidance

• Inventory certificate templates with escalation potential Identify every template that allows broad enrolment, subject alternative name control, or identity mapping changes.
• Block dangerous request metadata at enrollment time Use policy enforcement to reject suspicious SAN and UPN stamping before a certificate is issued.
• Treat certificate templates as governed identity assets Assign an owner, document the intended identity binding, and require change control for template edits that affect authentication or enrolment scope.

What's in the full article

Netwrix's full blog covers the operational detail this post intentionally leaves for the source:

• The AD CS Lockdown policy logic and how it blocks suspicious certificate template enrollments at request time.
• The specific ESC1 to ESC3 template abuse scenarios the research team used to shape detection and prevention.
• The blocked Certify.exe enrollment example and what the denial indicates operationally.
• The upcoming research areas in Entra ID, virtualization, and attack catalog expansion.

👉 Read Netwrix's analysis of AD CS attack paths and identity research →

AD CS attack paths and identity research: what teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →