Active Directory Certificate Services (ADCS) is Tier-0 infrastructure. Yet in many enterprises, it operates with limited visibility, weak posture controls and configuration drift that silently enables certificate-based domain compromise.

PKI Insights continuously analyzes your ADCS environment to detect misconfigurations exploited by SpecterOps (ESC) abuse paths and NTLM relay attacks such as PetitPotam – before attackers can weaponize them.

PKI Insights - ADCS - ESC Alerts

What is PetitPotam & SpecterOps Vulnerabilities

PetitPotam, disclosed in 2021 followed by Microsoft Advisory, highlighted how attackers could coerce Windows systems into authenticating via NTLM and relay those credentials to vulnerable services such as Active Directory Certificate Services.

Around the same period, SpecterOps published groundbreaking research exposing multiple ADCS abuse paths known as Enterprise Certificate Services (ESC) attacks showing how misconfigured certificate templates and CA permissions could be leveraged to impersonate users, escalate privileges, and establish long-term domain persistence. These findings shifted PKI from a background infrastructure component to a critical identity security risk for enterprises.

Why ADCS Is a Prime Target for Attackers

Modern identity attacks no longer rely solely on password theft or malware. Instead, attackers abuse certificate trust to gain persistent, stealthy access. Common characteristics of ADCS-based attacks:

  • No malware required

  • Difficult to detect with SIEM or EDR

  • Abuse legitimate certificate issuance

  • Often remain undetected for months

"When ADCS is misconfigured, attackers don’t break in - they log in"

Understanding the ADCS Attack Landscape

SpecterOps ESC Abuse Techniques

SpecterOps identified multiple ADCS misconfiguration classes (ESC1–ESC8) that enable privilege escalation, lateral movement, and domain persistence. These abuses stem from:

  • Over-permissive certificate templates

  • Weak enrollment permissions

  • Insecure EKU usage

  • CA-level access control flaws

Where PetitPotam Fits

PetitPotam is an NTLM coercion technique that forces authentication from a Windows host. It becomes critical when ADCS allows NTLM-based certificate enrollment, enabling attackers to relay authentication and obtain certificates usable for domain authentication.

"PetitPotam is not the root cause - ADCS configuration is"

How PKI Insights Detects Both ESC and PetitPotam Risks

ADCS Posture & ESC Detection

PKI Insights continuously analyzes:

  • Certificate template permissions & ownership

  • EKU misuse (Client Auth, Smart Card Logon)

  • Enrollment agent abuse paths

  • CA security settings & policy alignment

  • Weak cryptographic parameters

  • Long-lived authentication certificates

Mapped directly to SpecterOps ESC techniques.

NTLM Relay & Coercion Exposure Detection

PKI Insights identifies:

  • NTLM-enabled ADCS endpoints

  • ADCS services vulnerable to NTLM relay

Continuous PKI Posture Monitoring (Not Point-in-Time Audits)

ADCS attacks often succeed months after a misconfiguration is introduced.

PKI Insights provides:

  • Continuous posture monitoring

  • Configuration drift detection

  • Real-time alerts on risky changes

  • Historical audit evidence

  • Clear identification of exploitable conditions

  • Risk prioritization based on abuse impact

  • Actionable remediation guidance

  • Evidence for security reviews and audits

"You can’t secure what you can’t continuously see"

Why Security Teams Choose PKI Insights

Enterprises don’t fail at PKI because they lack automation – they fail because they lack visibility. PKI Insights acts as a Swiss Army knife for PKI security, bringing together certificate inventory, lifecycle monitoring, cryptographic risk analysis, and ADCS attack-path detection in a single platform. This allows security and infrastructure teams to automate confidently, knowing their PKI foundation is secure.

If your PKI issues authentication certificates, it is part of your identity perimeter. PKI Insights helps you understand, secure, and continuously monitor that perimeter – so automation never becomes an attack path.

  • Purpose-built for ADCS environments

  • Covers both posture and exploitation paths

  • Designed for infrastructure, identity, and security teams

"PKI Insights is the Swiss Army knife for monitoring enterprise PKI"