ESC14: Vulnerable Certificate Renewal Configuration
ESC14 exploits misconfigured certificate renewal settings, allowing attackers to renew compromised certificates or maintain long-term access to sensitive resources.
ESC14 targets vulnerabilities in the certificate renewal process within AD CS. When renewal policies are not properly configured, attackers can potentially renew compromised certificates, maintaining their unauthorized access for extended periods. This makes it challenging to detect and respond to security incidents effectively.
Learn more about AD CS defense strategies to protect against this and other attacks.
- Prolonged unauthorized access to sensitive resources
- Difficulty in detecting and revoking compromised certificates
- Potential for long-term persistence in the network
- Increased challenge in incident response and recovery
- Identify vulnerabilities in certificate renewal configurations
- Obtain a valid certificate through legitimate or illegitimate means
- Exploit weak renewal policies to maintain access beyond intended certificate lifetime
- Use renewed certificates to maintain long-term unauthorized access
When conducting AD CS penetration testing, consider the following aspects specific to ESC14: Vulnerable Certificate Renewal Configuration:
- Identify vulnerable certificate templates and misconfigurations
- Assess the potential impact on the overall AD CS security
- Evaluate the effectiveness of existing security controls
- Test for the ability to exploit this vulnerability in the target environment
- Document findings and provide actionable remediation steps
Enumerate Vulnerable Configurations
certutil -v -template | findstr /i "msPKI-Cert-Template-OID" /c:"Renewal Period"certutil -config "CA_SERVER\CA_NAME" -getreg CA\CRLPeriodUnitscertutil -config "CA_SERVER\CA_NAME" -getreg CA\CRLPeriodUse Certify to find vulnerable renewal configurations
.\Certify.exe find /vulnerable /renewalRenew a certificate using certreq
certreq -enroll -q -machine -cert "<Certificate Thumbprint>" RenewUse PowerShell to renew a certificate
$cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -eq "CN=TargetCertificate"}Get-Certificate -Template "User" -CertStoreLocation Cert:\LocalMachine\My -Url ldap: -Credential (Get-Credential)- Implement comprehensive logging for all certificate renewal activities
- Monitor for unusual patterns in certificate renewal requests
- Regularly audit certificate lifetimes and renewal histories
- Implement alerting for certificate renewals outside of expected parameters
- Conduct periodic reviews of certificate renewal policies and practices
- 4886: Certificate Services approved a certificate request
- 4887: Certificate Services denied a certificate request
- 4890: The certificate manager settings for Certificate Services changed
- 5136: A directory service object was modified (for monitoring renewal policy changes)
To mitigate ESC14: Vulnerable Certificate Renewal Configuration and enhance overall AD CS security, consider implementing the following measures:
- Implement strict certificate renewal policies
- Regular audit of certificate lifetimes and renewal processes
- Implement strong authentication for certificate renewal requests
- Use short-lived certificates to limit the impact of compromised credentials
- Implement automated certificate lifecycle management
- Regularly conduct AD CS penetration testing to identify and address vulnerabilities
- Implement the principle of least privilege across your AD CS infrastructure
- Maintain up-to-date documentation of your AD CS configuration and security policies
Related AD CS Attacks
Explore other attack vectors that target Active Directory Certificate Services:
