ESCepcion
The only AD CS auditing framework that doesn't just find misconfigurations — it tells you which ones actually lead to domain compromise.
Built for security consultants, blue teams, and auditors who need evidence-grade reports, not just scanner output.
$ python main.py --domain corp.local \
--user auditor --password **** --dc-ip 192.168.1.10
[*] Connecting to LDAP — corp.local...
[*] Enumerating Certificate Authorities...
[+] Found CA: CORP-CA on corp-dc01
[*] Scanning 47 certificate templates...
[!] ESC1 — "UserCert" vulnerable (SAN)
[!] ESC4 — "WebServer" writable ACL
[!] ESC8 — HTTP endpoint at /certsrv/
[+] Audit complete — 3 paths in 4.2s
_
ESC Coverage
ESCepcion detects every known escalation path. Each finding includes confidence level, blocking controls, and a deterministic exploitability assessment — not just a vulnerable flag.
Misconfigured Certificate Templates
Templates with Client Auth EKU allow arbitrary SAN + low-priv enrollment. ESCepcion validates effective enrollment rights using BFS nested group resolution — eliminating false positives from inherited permissions.
Any Purpose EKU Abuse
Templates carrying Any Purpose EKU or no EKU at all can authenticate as any domain user regardless of the requester's privilege level.
Enrollment Agent Abuse
Misconfigured enrollment agent templates allow requesting certificates on behalf of any domain user. ESCepcion validates the full two-template chain (Agent + Target) before reporting — avoiding false positives.
Template ACL Abuse
Writable ACLs on certificate templates allow low-priv users to introduce ESC1-style misconfigurations at will. ESCepcion resolves nested group membership up to depth 5 to identify indirect write access paths.
PKI Object ACL Abuse
Weak ACLs on CAs, NTAuthCertificates, AIA, CDP, and OID objects can compromise the entire PKI infrastructure. Reported once as a global infrastructure finding, not repeated per template.
EDITF_ATTRIBUTESUBJECTALTNAME2
CA-level flag allows SAN in any cert request, bypassing all template restrictions. Reported as NEAR_MISS via LDAP heuristic; confirmed deterministically via MS-RRP registry read with --deep-scan.
Vulnerable CA ACL
ManageCA / ManageCertificates rights on the CA object enable arbitrary certificate issuance and template manipulation. ESCepcion checks both permissions independently with LOW_TRUST principal filtering.
NTLM Relay to AD CS HTTP
HTTP enrollment endpoints allow NTLM relay attacks. ESCepcion includes active HTTP probing to confirm endpoint availability and NTLM challenge presence before reporting — no false positives on dead URLs.
No Security Extension
CT_FLAG_NO_SECURITY_EXTENSION prevents the CA from embedding the objectSID extension in issued certificates, enabling UPN-based impersonation. ESCepcion cross-validates GenericWrite availability before escalating severity.
Weak Certificate Mappings
Weak StrongCertificateBindingEnforcement or CertificateMappingMethods registry settings allow certificate-to-account impersonation. Confirmed via MS-RRP with --deep-scan; reported as NEAR_MISS otherwise.
Unencrypted RPC Interface
IF_ENFORCEENCRYPTICERTREQUEST disabled allows NTLM relay attacks directly over the RPC certificate enrollment interface — no web enrollment role required on the CA.
DCOM Shell Access to CA
ESCepcion attempts remote detection of YubiHSM AuthPassword exposure via MS-RRP registry read. Requires --deep-scan and remote registry access to the CA server host.
OID Group Link Abuse
Issuance policies linked to universal AD groups via msDS-OIDToGroupLink grant certificate holders covert group membership. ESCepcion validates group type (must be universal and empty) and privilege level before reporting — avoiding false positives.
Explicit Certificate Mapping
Weak permissions over altSecurityIdentities allow low-priv users to bind arbitrary certificates to privileged accounts. ESCepcion detects all four mapping scenarios: X509RFC822, IssuerSubject, SubjectOnly, and WriteProperty.
SchemaVersion 1 / EKUwu (CVE-2024-49019)
SchemaVersion 1 templates allow Application Policy injection in the CSR, silently overriding the template's EKU. Enables client authentication with any V1 template on unpatched CAs.
CA-Wide Security Extension Disabled
OID 1.3.6.1.4.1.311.25.2 in the CA's DisableExtensionList makes ALL templates behave like ESC9 simultaneously. Confirmed via MS-RRP registry read with --deep-scan. One of the most impactful CA-level misconfigurations.
Quick Start
Clone Repository
git clone https://github.com/Hackwarts12/ESCepcion.git
cd ESCepcion
pip install -r requirements.txt
Basic Audit
# Basic domain audit
python main.py --domain corp.local --user auditor \
--dc-ip 192.168.1.10 --password 'P@ssw0rd'
Deep Scan
# Deep scan — confirms ESC6/10/11/12/16 via MS-RRP
python main.py --domain corp.local --user auditor \
--dc-ip 192.168.1.10 --password 'P@ssw0rd' \
--deep-scan
Arcane Arsenal
Full AD CS Enumeration
Maps all Certificate Authorities, templates, ACLs, OID objects, and PKI infrastructure in a single LDAP session. Paginated queries handle enterprise environments with thousands of objects without truncation.
ESC1–ESC16 Detection
Complete coverage of all known ADCS privilege escalation vectors. Each finding includes confidence level, blocking controls, and a deterministic exploitability assessment — not just a vulnerable flag.
Flexible Authentication
NTLM password, Pass-the-Hash (LM:NT or :NT format), and integrated Windows authentication (SSPI). No credentials are stored in output files or reports.
Rich Grimoire Reports
Full HTML dashboard with posture score, attack chains, combo chain correlation, and per-finding remediation playbooks. JSON output ready for SIEM integration and diff-based remediation tracking.
Remediation Spells
Each finding includes the exact certutil, PowerShell, or ADSI command to remediate — not generic advice. Prioritized by DDCC exploitability, not just severity.
DDCC — Deterministic Attack Paths
ESCepcion's proprietary engine builds in-memory attack graphs to determine if a low-trust user has a real path to domain compromise. Separates EXPLOITABLE findings from NEAR_MISS and POTENTIAL — the difference between a critical finding and noise.
Hybrid Environment Detection
Detects AD Connect presence, sync account credential risks, and Entra ID tenant exposure via LDAP-only queries. Flags when on-prem ADCS misconfigurations may cascade to Microsoft 365 and Azure cloud resources.
Combo Chain Correlation
Automatically correlates multiple ESC findings into named attack chains: Template Takeover (ESC4→ESC1), Certifried Hybrid (Certifried+ESC8), Sync Account Takeover (Shadow Credentials+MSOL), and more.
How It Works — The Ritual
Discovery
Connects via LDAP and locates all Certificate Authorities within the target domain or forest. Resolves SIDs and nested group membership up to depth 5 for accurate ACL analysis.
Enumeration
Maps every certificate template attribute, ACL entry, CA configuration flag, OID object, and PKI container. Paginated queries handle enterprise-scale environments without object limit truncation.
Analysis
Tests each ESC vector against collected data using validation logic derived from SpecterOps, Certipy, and original research. Each finding receives a confidence level and a list of blocking controls that currently prevent exploitation.
DDCC Engine
The Deterministic Domain Compromise Check builds an attack graph from all findings. It determines whether a low-trust user has a real step-by-step path to domain compromise and assigns an L1–L5 impact level to each path. NEAR_MISS findings — one prerequisite away from exploitation — are tracked separately from theoretical ones.
Reporting
Generates a structured HTML grimoire and JSON output with posture score (0–100), attack chains, combo correlations, per-finding remediation playbooks, and a coverage map showing which ESCs were evaluated and which require --deep-scan to confirm.
Credits & Developer
Research Credits
Built upon groundbreaking research from the community:
- Will Schroeder & Lee Christensen
SpecterOps — "Certified Pre-Owned" (2021) - Oliver Lyak
Certipy — ESC9, ESC10, ESC16 - Jonas Bülow Knudsen
ESC13, ESC14 (2024) - Justin Bollinger
TrustedSec — ESC15 / EKUwu (2024)
Developed & Compiled by
Erick Maldonado — @Hackwarts12
RedSpears Labs — Devel Security, S.A.
Architecture, DDCC engine, L1–L5 risk model, hybrid environment analysis, and full implementation of the ESCepcion framework. Regional Offensive Security Consultant Manager.
Presented At
- EkoParty BlueSpace 2026 2026 Buenos Aires, Argentina
- Unknow Conference 2025 Lima, Peru
The Journey
From idea to framework — how ESCepcion evolved.
The Idea
Started as an internal script to audit AD CS in client engagements at Devel Security. The goal: a tool that explains risk to non-technical stakeholders, not just dumps LDAP findings.
ESC1–ESC4 Core
First working version with ESC1, ESC2, ESC3, ESC4 detection via LDAP. Basic HTML output. Ran internally on the first real client engagement and surfaced ESC4 findings that were missed by other tools.
ESC5–ESC8 + Authentication
Added ESC5 through ESC8 coverage including active HTTP probing for ESC8. Implemented Pass-the-Hash and SSPI authentication. First version usable without a plaintext password.
DDCC Engine + L1–L5 Model
The Deterministic Domain Compromise Check was designed and implemented. For the first time, ESCepcion could tell the difference between a theoretical finding and a real path to domain compromise. The L1–L5 Identity Impact Taxonomy replaced CVSS scoring.
ESC10 / ESC12 / ESC14 + MS-RRP
Added --deep-scan mode with impacket MS-RRP integration. ESC10 reads StrongCertificateBindingEnforcement and CertificateMappingMethods directly from the DC registry. ESC12 attempts remote YubiHSM detection. ESC14 covers all four altSecurityIdentities scenarios.
Certifried + Shadow Credentials + Hybrid Detection
Added Certifried (CVE-2022-26923) as a standalone detection module. Shadow Credentials enumeration with LOW_TRUST filtering. Hybrid environment detector identifies AD Connect accounts, tenant exposure, and sync account credential risks via LDAP-only queries.
HTML Grimoire + BloodHound Export
Complete redesign of the HTML report. Posture Score 0–100, attack chain visualization, combo chain correlation, and per-finding remediation playbooks with exact certutil and PowerShell commands. BloodHound JSON v6 export added.
Unknow Conference 2026 — Lima, Peru
First presentation at Unknow Conference, Lima. Introduction to ESCepcion framework, DDCC engine demonstration, and L1–L5 risk model explanation for the Latin American security community.
Public Release — EkoParty BlueSpace 2026
Official public release presented at EkoParty BlueSpace, Buenos Aires. ESC1–ESC8 full logic, ESC10/12/14 via deep scan, Certifried, Shadow Credentials, Hybrid Detection, DDCC, L1–L5, Posture Score, Combo Chains, BloodHound export, HTML grimoire, JSON output.
Full ESC Coverage + Hardening
ESC9, ESC11, ESC13, ESC15, ESC16 with full detection logic and anti-false-positive validation. Global LDAP pagination for enterprise environments. Unified ESCResult schema with confidence levels, blocking controls, and evidence fields. Regression test suite with domain fixtures. LDAPS support (port 636).
Risk Engine Expansion
MITRE ATT&CK mapping per ESC finding. --diff mode for remediation tracking between scans. SARIF export for CI/CD pipeline integration. Remediation Priority Engine: what to fix first to break the maximum number of DDCC paths.