ESC1: Misconfigured Certificate Templates

Critical

ESC1 exploits overly permissive enrollment rights in certificate templates, allowing low-privileged users to enroll in certificates that can be used for authentication, potentially leading to privilege escalation.

Warning: The information provided here is for educational purposes only. Always ensure you have proper authorization before testing these attacks in any environment.

Attack Details

ESC1 occurs when certificate templates are misconfigured with overly permissive enrollment rights. This allows low-privileged users to enroll in certificates that can be used for authentication, potentially leading to privilege escalation. Attackers can exploit this vulnerability to obtain certificates that grant them elevated privileges within the Active Directory environment.

Learn more about AD CS defense strategies to protect against this and other attacks.

Impact

Privilege escalation to Domain Admin
Unauthorized access to sensitive resources
Potential for lateral movement within the network
Compromise of the entire AD infrastructure

Exploitation Steps

Identify vulnerable certificate templates with permissive enrollment rights
Enroll in a certificate using the vulnerable template
Use the obtained certificate for authentication and privilege escalation

Penetration Testing Considerations

When conducting AD CS penetration testing, consider the following aspects specific to ESC1: Misconfigured Certificate Templates:

Identify vulnerable certificate templates and misconfigurations
Assess the potential impact on the overall AD CS security
Evaluate the effectiveness of existing security controls
Test for the ability to exploit this vulnerability in the target environment
Document findings and provide actionable remediation steps

Command Examples

Enumerate Vulnerable Templates

certutil -v -template | findstr /i "mspki-certificate-name-flag" | findstr /i "CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT"

certutil -v -template | findstr /i "1.3.6.1.4.1.311.20.2"

.\Certify.exe find /vulnerable

Exploit Vulnerable Template

certreq -submit -attrib "CertificateTemplate:VulnerableTemplate" -attrib "SAN:[email protected]" request.inf

.\Certify.exe request /ca:dc.domain.com\CA-NAME /template:VulnerableTemplate /altname:administrator

Detection

Monitor certificate enrollment activities, especially for sensitive templates
Implement logging and alerting for unusual certificate issuance patterns
Regularly audit certificate template configurations and permissions

Event IDs

4886: Certificate Services approved a certificate request
4887: Certificate Services denied a certificate request
5137: A directory service object was created (for monitoring template changes)

Mitigation and AD CS Security Best Practices

To mitigate ESC1: Misconfigured Certificate Templates and enhance overall AD CS security, consider implementing the following measures:

Regularly audit and review all certificate templates
Implement the principle of least privilege for certificate template configurations
Use security groups to control enrollment permissions
Enable strong authentication mechanisms for certificate enrollment
Regularly conduct AD CS penetration testing to identify and address vulnerabilities
Implement the principle of least privilege across your AD CS infrastructure
Maintain up-to-date documentation of your AD CS configuration and security policies

References

Related AD CS Attacks

Explore other attack vectors that target Active Directory Certificate Services:

Diagram illustrating ESC5 attack vector with vulnerable PKI object access control

ESC5: Vulnerable PKI Object Access Control

High

ESC5 targets vulnerable access controls on PKI objects, allowing attackers to manipulate CA configuration, potentially leading to unauthorized certificate issuance or CA compromise.

Learn More

Diagram illustrating ESC11 attack vector with vulnerable certificate issuance policy

ESC11: Vulnerable Certificate Issuance Policy

High

ESC11 exploits misconfigured certificate issuance policies, allowing attackers to obtain certificates that should be restricted, potentially leading to unauthorized access or privilege escalation.

Learn More

Diagram illustrating ESC6 attack vector with ADCS backup extraction

ESC6: ADCS Backup Extraction

Critical

ESC6 involves extracting and abusing ADCS backups to gain unauthorized access to the CA's private keys, potentially allowing an attacker to issue any certificate or decrypt intercepted communications.

Learn More

View All AD CS Attacks