Sentinel Now Detects ADCS Misconfigurations — the Most Overlooked AD Attack Surface

March 13, 2026 · GrantFlow Team

Active Directory Certificate Services (ADCS) is one of the most impactful — and most overlooked — attack surfaces in on-premises environments. A single misconfigured certificate template can let any domain user impersonate a Domain Admin. Starting with GrantFlow Sentinel v0.1.4, your AD scans now cover the most commonly exploited ADCS attack paths, bringing the total check count to 93 across 15 security domains.

Why ADCS Matters

ADCS issues are dangerous because they are silent. A vulnerable certificate template does not generate alerts, does not appear in standard monitoring, and can sit in production for years without anyone noticing. Attackers know this — ADCS exploitation has become a standard step in Active Directory compromise playbooks.

The most critical example is the ESC1 attack: if a certificate template allows the enrollee to supply an arbitrary subject name and the template grants client authentication, any authenticated user can request a certificate as Domain Admin. No elevated privileges required, no brute-forcing, no lateral movement — just a single certificate request.

What Sentinel Checks

Sentinel v0.1.4 introduces eight new checks in the AD Certificate Services domain:

CheckWhat it detects
SENT-ADCS-001Templates vulnerable to ESC1 — enrollee-supplied subject with client authentication
SENT-ADCS-002Templates vulnerable to ESC2 — any-purpose or missing EKU with broad enrollment
SENT-ADCS-003Templates vulnerable to ESC3 — unrestricted Certificate Request Agent
SENT-ADCS-004Templates with vulnerable ACLs — non-admin principals can modify the template
SENT-ADCS-005CAs with EDITF_ATTRIBUTESUBJECTALTNAME2 enabled (ESC6)
SENT-ADCS-006HTTP-only enrollment endpoints exposed to NTLM relay (ESC8)
SENT-ADCS-007CA web enrollment enabled without proper security controls
SENT-ADCS-100AI-assisted analysis that correlates findings across CAs and templates to identify attack chains

SENT-ADCS-001 and SENT-ADCS-005 are rated Critical — either one can give an attacker full domain control in a single step.

Cross-Platform ADCS Scanning

Unlike the rest of the AD checks — which rely on the Windows-only Active Directory PowerShell module — ADCS checks use native LDAP to query certificate templates, CA configurations, and enrollment endpoints. This means you can run ADCS scans from macOS or Linux without needing a Windows machine.

Add the following to your sentinel.yaml:

yaml
ldap_server: dc.example.com
ldap_tls: true
ldap_bind_dn: "CN=sentinel,OU=ServiceAccounts,DC=example,DC=com"

Then pass the bind password via the LDAP_BIND_PASS environment variable and run as usual:

bash
export LDAP_BIND_PASS="your-password"
grantflow-sentinel ad
``` Sentinel collects ADCS data over LDAP and skips the Windows-only AD checks automatically. Your report includes all ADCS findings scored as normal.

On Windows, ADCS checks run alongside all other AD checks — no additional configuration needed.

## AI-Assisted Analysis

SENT-ADCS-100 goes beyond individual template checks. It uses AI to analyze your entire ADCS environment holistically — correlating CA settings, template permissions, and enrollment configurations to surface multi-step attack chains that rule-based checks might miss. The AI analysis also produces prioritized remediation steps ranked by risk.

This check is optional and requires an AI endpoint configured in your scan profile. Without it, the check is skipped and the other seven ADCS checks still run normally.

## What's Next

Sentinel v0.1.4 covers ESC1–ESC4, ESC6, and ESC8 — the attack paths most frequently seen in real-world compromises. Coverage for ESC5 (vulnerable CA object ACLs) and ESC7 (vulnerable CA officer rights) is planned for a future release.

For the full check table and severity ratings, see the [Checks Reference](/sentinel/checks-reference#ad-certificate-services). To get started, follow the [Quick Start](/sentinel/quickstart) or review the [LDAP configuration options](/sentinel/configuration).