AD CS Attacks Overview

Active Directory Certificate Services (AD CS) is a complex system that, when misconfigured, can lead to severe security vulnerabilities. This page provides an overview of various attack vectors targeting AD CS, known as ESC (Escalation via Certificate Services) attacks.

Warning: The information provided here is for educational purposes only. Always ensure you have proper authorization before testing these attacks in any environment.

Known ESC Attacks

ESC1: Misconfigured Certificate Templates
Critical

ESC1 exploits overly permissive enrollment rights in certificate templates, allowing low-privileged users to enroll in certificates that can be used for authentication, potentially leading to privilege escalation.

Impact:
  • Privilege escalation to Domain Admin
  • Unauthorized access to sensitive resources
  • Potential for lateral movement within the network
  • Compromise of the entire AD infrastructure
Mitigation:
  • Regularly audit and review all certificate templates
  • Implement the principle of least privilege for certificate template configurations
Learn More
ESC2: Misconfigured Enrollment Agent Templates
High

ESC2 abuses misconfigured Enrollment Agent templates, allowing an attacker to request certificates on behalf of other users, potentially leading to privilege escalation and unauthorized access.

Impact:
  • Unauthorized certificate issuance for other users
  • Potential privilege escalation to high-privileged accounts
  • Identity theft and impersonation
  • Bypass of multi-factor authentication
Mitigation:
  • Review and restrict access to Enrollment Agent templates
  • Implement strict controls on who can act as an Enrollment Agent
Learn More
ESC3: Misconfigured Enrollment Agent Restrictions
High

ESC3 takes advantage of misconfigured Enrollment Agent restrictions, allowing an attacker with Enrollment Agent privileges to request certificates for accounts they shouldn't have access to, potentially leading to privilege escalation.

Impact:
  • Unauthorized certificate issuance for privileged accounts
  • Privilege escalation to high-privileged accounts
  • Unauthorized access to sensitive resources
  • Potential domain compromise
Mitigation:
  • Implement and regularly review Enrollment Agent restrictions
  • Limit the scope of accounts that Enrollment Agents can request certificates for
Learn More

Understanding the Impact

AD CS attacks can have severe consequences for an organization's security posture. These attacks often lead to:

  • Privilege escalation, potentially to Domain Admin level
  • Unauthorized access to sensitive resources
  • Persistence mechanisms for attackers
  • Potential for lateral movement within the network
  • Compromise of the entire PKI infrastructure
  • Bypass of multi-factor authentication systems

Understanding these attack vectors is crucial for both offensive security testing and implementing robust defenses. Explore each attack in detail to learn about specific vulnerabilities, exploitation techniques, and mitigation strategies.