Skip to main content
AD CS ESC1: Certificate Template Abuse to Domain Admin operation cover
COMING SOONIntermediatePRO

AD CS ESC1: Certificate Template Abuse to Domain Admin

An ordinary user becomes a Domain Admin without stealing a password. A misconfigured certificate template lets the enrollee supply the subject, so the user requests a certificate whose Subject Alternative Name names a Domain Admin, and the CA issues it. The forged certificate is then used for PKINIT to authenticate as that admin. Work the certificate-authority records, the endpoint process tree, and the domain controller's Kerberos logs to reconstruct the escalation.

50m
5 tasks
50 points
Pro

Launches in 5 days

Jul 21, 2026

Tuesday, July 21, 2026 at 9:00 AM

View Pro plans

Pro unlocks this operation at launch.

Training Tools

SIEMXDR

What you'll investigate

5 objectives unlock when this operation goes live.

1Find the foothold
2Identify who was impersonated
3Tie the request together
4Follow the certificate to the ticket
5Classify the credential-access technique

Be first when it launches

Create your account and grab Pro before launch. The moment this operation goes live on Jul 21, 2026, you can jump straight in.

Get Started Free