
COMING SOONIntermediatePRO
AD CS ESC1: Certificate Template Abuse to Domain Admin
An ordinary user becomes a Domain Admin without stealing a password. A misconfigured certificate template lets the enrollee supply the subject, so the user requests a certificate whose Subject Alternative Name names a Domain Admin, and the CA issues it. The forged certificate is then used for PKINIT to authenticate as that admin. Work the certificate-authority records, the endpoint process tree, and the domain controller's Kerberos logs to reconstruct the escalation.
50m
5 tasks
50 points
ProLaunches in 5 days
Jul 21, 2026
View Pro plansTuesday, July 21, 2026 at 9:00 AM
Pro unlocks this operation at launch.
Training Tools
SIEMXDR
What you'll investigate
5 objectives unlock when this operation goes live.
1Find the foothold
2Identify who was impersonated
3Tie the request together
4Follow the certificate to the ticket
5Classify the credential-access technique
Be first when it launches
Create your account and grab Pro before launch. The moment this operation goes live on Jul 21, 2026, you can jump straight in.
Get Started Free