ESC12: Vulnerable Certificate Revocation Configuration
ESC12 targets misconfigured or absent certificate revocation mechanisms, allowing attackers to continue using compromised or expired certificates for malicious purposes.
ESC12 exploits weaknesses in certificate revocation configurations within AD CS. When revocation mechanisms are not properly implemented or maintained, compromised or expired certificates can continue to be accepted as valid. This allows attackers to maintain unauthorized access even after a breach has been detected.
Learn more about AD CS defense strategies to protect against this and other attacks.
- Continued use of compromised certificates
- Inability to effectively respond to security incidents
- Potential for long-term unauthorized access
- Undermining of the entire PKI trust model
- Identify weaknesses in certificate revocation mechanisms
- Obtain a valid certificate through legitimate or illegitimate means
- Continue using the certificate even after it should have been revoked
- Exploit gaps in revocation checking to maintain unauthorized access
When conducting AD CS penetration testing, consider the following aspects specific to ESC12: Vulnerable Certificate Revocation Configuration:
- Identify vulnerable certificate templates and misconfigurations
- Assess the potential impact on the overall AD CS security
- Evaluate the effectiveness of existing security controls
- Test for the ability to exploit this vulnerability in the target environment
- Document findings and provide actionable remediation steps
Check CRL distribution points for a certificate
certutil -url cert.cerVerify CRL configuration on the CA
certutil -config "CA_SERVER\CA_NAME" -getreg CA\CRLPublicationURLsManually publish a CRL
certutil -CRLCheck OCSP configuration
certutil -config "CA_SERVER\CA_NAME" -getreg CA\OCSPURLsTest certificate revocation status
certutil -verify -urlfetch cert.cer- Implement comprehensive logging for all certificate usage
- Regularly audit and test certificate revocation processes
- Monitor for usage of certificates that should have been revoked
- Implement real-time alerting for failed revocation checks
- Conduct periodic assessments of the entire PKI infrastructure
- 4886: Certificate Services approved a certificate request
- 4887: Certificate Services denied a certificate request
- 4870: Certificate Services revoked a certificate
- 4884: Certificate Services retrieved an archived key
To mitigate ESC12: Vulnerable Certificate Revocation Configuration and enhance overall AD CS security, consider implementing the following measures:
- Implement and maintain robust certificate revocation mechanisms (CRL, OCSP)
- Regular testing and validation of revocation processes
- Implement short-lived certificates where possible
- Ensure timely distribution and updating of Certificate Revocation Lists (CRLs)
- Use Online Certificate Status Protocol (OCSP) for real-time certificate validation
- Regularly conduct AD CS penetration testing to identify and address vulnerabilities
- Implement the principle of least privilege across your AD CS infrastructure
- Maintain up-to-date documentation of your AD CS configuration and security policies
Related AD CS Attacks
Explore other attack vectors that target Active Directory Certificate Services:
