AD CS Attacks Overview

Explore various attack vectors targeting Active Directory Certificate Services (AD CS), known as ESC vulnerabilities (ESC1-ESC15). Understanding these vulnerabilities is crucial for AD CS penetration testing and implementing robust security measures to protect your PKI infrastructure.

Warning: This information is for educational purposes only. Ensure proper authorization before testing.

ESC Vulnerabilities Overview

Active Directory Certificate Services (AD CS) is susceptible to various attack vectors, known as ESC (Escalation via Certificate Services) vulnerabilities. These vulnerabilities, ranging from ESC1 to ESC15, pose significant risks to AD CS security. Understanding these vulnerabilities is crucial for effective AD CS penetration testing and implementing robust security measures.

ESC1-ESC5: Focus on certificate template misconfigurations and access control issues.
ESC6-ESC10: Target CA security, NTLM relay attacks, and rogue certificate authorities.
ESC11-ESC15: Address vulnerabilities in certificate issuance policies, revocation, and request handling.

Explore each vulnerability in detail to enhance your AD CS security posture and conduct thorough penetration testing.

Diagram illustrating ESC1 attack vector

ESC1: Misconfigured Certificate Templates

Critical

ESC1 exploits overly permissive enrollment rights in certificate templates, allowing low-privileged users to enroll in certificates that can be used for authentication, potentially leading to privilege escalation.

Diagram illustrating ESC10 attack vector with rogue Certificate Authority

ESC10: Rogue Certificate Authority

Critical

ESC10 involves an attacker creating a rogue Certificate Authority and adding it to the enterprise NTAuth store, potentially allowing the issuance of trusted certificates for any purpose.

Diagram illustrating ESC12 attack vector with vulnerable certificate revocation configuration

ESC12: Vulnerable Certificate Revocation Configuration

Critical

ESC12 targets misconfigured or absent certificate revocation mechanisms, allowing attackers to continue using compromised or expired certificates for malicious purposes.

Diagram illustrating ESC15 attack vector with vulnerable certificate request handling

ESC15: Vulnerable Certificate Request Handling

Critical

ESC15 targets vulnerabilities in how certificate requests are processed and validated, potentially allowing attackers to manipulate request data and obtain unauthorized certificates.

Diagram illustrating ESC4 attack vector with vulnerable certificate template access control

ESC4: Vulnerable Certificate Template Access Control

Critical

ESC4 exploits vulnerable access controls on certificate templates, allowing attackers to modify high-privileged templates and create malicious certificates for privilege escalation.

Diagram illustrating ESC6 attack vector with ADCS backup extraction

ESC6: ADCS Backup Extraction

Critical

ESC6 involves extracting and abusing ADCS backups to gain unauthorized access to the CA's private keys, potentially allowing an attacker to issue any certificate or decrypt intercepted communications.

Diagram illustrating ESC7 attack vector with vulnerable Certificate Authority access control

ESC7: Vulnerable Certificate Authority Access Control

Critical

ESC7 exploits weak access controls on the Certificate Authority itself, allowing attackers to directly manipulate CA operations and potentially compromise the entire PKI infrastructure.

Diagram illustrating ESC8 attack vector with NTLM relay to ADCS HTTP endpoints

ESC8: NTLM Relay to ADCS HTTP Endpoints

Critical

ESC8 exploits the ability to relay NTLM authentication to ADCS HTTP endpoints, potentially allowing an attacker to obtain certificates for other users, including domain administrators.

Diagram illustrating ESC11 attack vector with vulnerable certificate issuance policy

ESC11: Vulnerable Certificate Issuance Policy

High

ESC11 exploits misconfigured certificate issuance policies, allowing attackers to obtain certificates that should be restricted, potentially leading to unauthorized access or privilege escalation.

Diagram illustrating ESC13 attack vector with vulnerable key archival configuration

ESC13: Vulnerable Key Archival Configuration

High

ESC13 exploits misconfigured key archival settings, potentially allowing unauthorized access to archived private keys, leading to decryption of sensitive data or impersonation attacks.

Diagram illustrating ESC14 attack vector with vulnerable certificate renewal configuration

ESC14: Vulnerable Certificate Renewal Configuration

High

ESC14 exploits misconfigured certificate renewal settings, allowing attackers to renew compromised certificates or maintain long-term access to sensitive resources.

Diagram illustrating ESC2 attack vector with Enrollment Agent abuse

ESC2: Misconfigured Enrollment Agent Templates

High

ESC2 abuses misconfigured Enrollment Agent templates, allowing an attacker to request certificates on behalf of other users, potentially leading to privilege escalation and unauthorized access.

Diagram illustrating ESC3 attack vector with misconfigured Enrollment Agent restrictions

ESC3: Misconfigured Enrollment Agent Restrictions

High

ESC3 takes advantage of misconfigured Enrollment Agent restrictions, allowing an attacker with Enrollment Agent privileges to request certificates for accounts they shouldn't have access to.

Diagram illustrating ESC5 attack vector with vulnerable PKI object access control

ESC5: Vulnerable PKI Object Access Control

High

ESC5 targets vulnerable access controls on PKI objects, allowing attackers to manipulate CA configuration, potentially leading to unauthorized certificate issuance or CA compromise.

Diagram illustrating ESC9 attack vector with missing Extended Key Usage

ESC9: No Security Extension

High

ESC9 takes advantage of certificate templates that don't specify the Extended Key Usage extension, potentially allowing certificates to be used for any purpose, including authentication.