ESC3: Misconfigured Enrollment Agent Restrictions

Attack Overview

ESC3 takes advantage of misconfigured Enrollment Agent restrictions in Active Directory Certificate Services (AD CS). This vulnerability allows an attacker with Enrollment Agent privileges to request certificates for accounts they shouldn't have access to, potentially leading to privilege escalation.

Attack Vector

  1. Obtain an Enrollment Agent certificate (possibly through ESC2 or legitimate means).
  2. Identify misconfigured Enrollment Agent restrictions that allow requesting certificates for privileged accounts.
  3. Use the Enrollment Agent certificate to request certificates for high-privileged accounts.
  4. Leverage the obtained certificates for authentication and privilege escalation.
Impact
  • Unauthorized certificate issuance for privileged accounts
  • Privilege escalation to high-privileged accounts
  • Unauthorized access to sensitive resources
  • Potential domain compromise

Mitigation Strategies

  • Implement and regularly review Enrollment Agent restrictions
  • Limit the scope of accounts that Enrollment Agents can request certificates for
  • Implement strong authentication and auditing for Enrollment Agent activities
  • Regularly review and rotate Enrollment Agent certificates
  • Monitor for suspicious certificate enrollment patterns

Detection

Event IDs to Monitor
  • 4886: Certificate Services received a certificate request (monitor for requests made by Enrollment Agents)
  • 4887: Certificate Services approved a certificate request and issued a certificate (monitor for certificates issued to privileged accounts)
  • 4892: A property of Certificate Services changed (monitor for changes to Enrollment Agent restrictions)
  • 4900: Certificate Services template security was updated (monitor for changes to template security that might affect Enrollment Agent restrictions)

Interactive Demo

Interactive ESC3 Attack Demo

Obtain Enrollment Agent Certificate

Acquire an Enrollment Agent certificate through legitimate means or by exploiting ESC2.

Identify Misconfigured Restrictions

Find Enrollment Agent restrictions that allow requesting certificates for privileged accounts.

Request High-Privilege Certificate

Use the Enrollment Agent certificate to request a certificate for a high-privileged account.

Obtain High-Privilege Certificate

Receive the issued certificate for the high-privileged account.

Authenticate as High-Privilege User

Use the obtained certificate to authenticate as the high-privileged user.

ESC3 Attack Diagram

ESC3 Attack Diagram
Learn More

To better protect your AD CS infrastructure against ESC3 and other attacks, explore our comprehensive resources:

Defense StrategiesBest Practices
Additional Resources