ESC3: Misconfigured Enrollment Agent Restrictions
ESC3 takes advantage of misconfigured Enrollment Agent restrictions, allowing an attacker with Enrollment Agent privileges to request certificates for accounts they shouldn't have access to.
ESC3 occurs when Enrollment Agent restrictions are not properly configured, allowing Enrollment Agents to request certificates for accounts outside their intended scope. This can lead to unauthorized access and potential domain compromise if an attacker gains Enrollment Agent privileges.
Learn more about AD CS defense strategies to protect against this and other attacks.
- Unauthorized certificate requests for privileged accounts
- Identity impersonation across security boundaries
- Potential for domain-wide compromise
- Bypass of security controls
- Gain Enrollment Agent privileges
- Identify misconfigured Enrollment Agent restrictions
- Request certificates for high-privileged accounts
- Use the obtained certificates for authentication and privilege escalation
When conducting AD CS penetration testing, consider the following aspects specific to ESC3: Misconfigured Enrollment Agent Restrictions:
- Identify vulnerable certificate templates and misconfigurations
- Assess the potential impact on the overall AD CS security
- Evaluate the effectiveness of existing security controls
- Test for the ability to exploit this vulnerability in the target environment
- Document findings and provide actionable remediation steps
Enumerate Enrollment Agent Restrictions
certutil -v -template | findstr /i "mspki-enrollment-flag" | findstr /i "CT_FLAG_NO_SECURITY_EXTENSION"Request Certificate as Enrollment Agent
certreq -submit -attrib "CertificateTemplate:EnrollmentAgentTemplate" -attrib "SAN:[email protected]" request.inf.\Certify.exe request /ca:dc.domain.com\CA-NAME /template:EnrollmentAgentTemplate /onbehalfof:"CN=Administrator,CN=Users,DC=domain,DC=com" /altname:administrator- Monitor and log all certificate requests made by Enrollment Agents
- Implement alerting for unusual certificate request patterns
- Regularly audit Enrollment Agent activities and permissions
- Use security information and event management (SIEM) tools to correlate Enrollment Agent activities
- 4886: Certificate Services approved a certificate request
- 4887: Certificate Services denied a certificate request
- 4738: A user account was changed (for monitoring Enrollment Agent changes)
- 5136: A directory service object was modified (for monitoring Enrollment Agent restriction changes)
To mitigate ESC3: Misconfigured Enrollment Agent Restrictions and enhance overall AD CS security, consider implementing the following measures:
- Implement strict Enrollment Agent restrictions
- Regular audit of Enrollment Agent permissions
- Monitor certificate request patterns
- Use strong authentication for Enrollment Agent operations
- Implement least privilege principle for Enrollment Agents
- Regularly conduct AD CS penetration testing to identify and address vulnerabilities
- Implement the principle of least privilege across your AD CS infrastructure
- Maintain up-to-date documentation of your AD CS configuration and security policies
Related AD CS Attacks
Explore other attack vectors that target Active Directory Certificate Services:
