ESC13: Vulnerable Key Archival Configuration
ESC13 exploits misconfigured key archival settings, potentially allowing unauthorized access to archived private keys, leading to decryption of sensitive data or impersonation attacks.
ESC13 targets vulnerabilities in the key archival configuration of AD CS. When key archival is not properly secured, attackers may gain access to archived private keys. This can lead to the decryption of sensitive historical data or allow attackers to impersonate legitimate users by renewing their certificates.
Learn more about AD CS defense strategies to protect against this and other attacks.
- Unauthorized access to archived private keys
- Potential decryption of historical encrypted communications
- Identity impersonation and unauthorized certificate renewal
- Compromise of long-term data confidentiality
- Identify vulnerabilities in key archival configurations
- Gain unauthorized access to key archival systems
- Extract archived private keys
- Use extracted keys for decryption or certificate renewal attacks
When conducting AD CS penetration testing, consider the following aspects specific to ESC13: Vulnerable Key Archival Configuration:
- Identify vulnerable certificate templates and misconfigurations
- Assess the potential impact on the overall AD CS security
- Evaluate the effectiveness of existing security controls
- Test for the ability to exploit this vulnerability in the target environment
- Document findings and provide actionable remediation steps
Check if key archival is enabled on the CA
certutil -config "CA_SERVER\CA_NAME" -getreg CA\DoNotStoreEncryptedKeysOnDiskList Key Recovery Agents
certutil -config "CA_SERVER\CA_NAME" -getreg CA\KeyRecoveryAgentsRequest a certificate with archived keys
certreq -submit -attrib "CertificateTemplate:UserWithArchivedKey" request.infAttempt to recover an archived key (requires appropriate permissions)
certutil -config "CA_SERVER\CA_NAME" -getkey <serial_number> keyfile.pvk- Implement comprehensive logging for all key archival operations
- Monitor access attempts to key archival systems
- Regularly audit key recovery and usage logs
- Implement alerting for unusual key recovery or usage patterns
- Conduct periodic security assessments of key archival infrastructure
- 4884: Certificate Services retrieved an archived key
- 4887: Certificate Services denied a certificate request
- 5136: A directory service object was modified (for monitoring key archival configuration changes)
To mitigate ESC13: Vulnerable Key Archival Configuration and enhance overall AD CS security, consider implementing the following measures:
- Implement strong access controls for key archival systems
- Use hardware security modules (HSMs) for key protection
- Regular audit and rotation of archived keys
- Implement strict key recovery procedures
- Encrypt archived keys with strong, regularly rotated encryption keys
- Regularly conduct AD CS penetration testing to identify and address vulnerabilities
- Implement the principle of least privilege across your AD CS infrastructure
- Maintain up-to-date documentation of your AD CS configuration and security policies
Related AD CS Attacks
Explore other attack vectors that target Active Directory Certificate Services:
