ESC5: Vulnerable PKI Object Access Control

High

ESC5 targets vulnerable access controls on PKI objects, allowing attackers to manipulate CA configuration, potentially leading to unauthorized certificate issuance or CA compromise.

Diagram illustrating ESC5 attack vector with vulnerable PKI object access control
ADCS Security Tools - Special Offer
Attack Details

ESC5 exploits weak access controls on PKI objects, such as the CA configuration. This can allow attackers to manipulate critical PKI settings, potentially leading to unauthorized certificate issuance or even complete compromise of the Certificate Authority.

Learn more about AD CS defense strategies to protect against this and other attacks.

Impact
  • Unauthorized changes to CA configuration
  • Issuance of rogue certificates
  • Potential complete compromise of the PKI infrastructure
  • Loss of trust in the entire certificate ecosystem
Exploitation Steps
  1. Identify PKI objects with weak access controls
  2. Modify CA configuration settings (e.g., validity period, issuance policies)
  3. Issue rogue certificates or manipulate existing ones
  4. Use the compromised PKI infrastructure for further attacks
Penetration Testing Considerations

When conducting AD CS penetration testing, consider the following aspects specific to ESC5: Vulnerable PKI Object Access Control:

  • Identify vulnerable certificate templates and misconfigurations
  • Assess the potential impact on the overall AD CS security
  • Evaluate the effectiveness of existing security controls
  • Test for the ability to exploit this vulnerability in the target environment
  • Document findings and provide actionable remediation steps
Command Examples

Enumerate PKI Objects with Weak Access Controls

dsacls "CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com"
certutil -config "CA_SERVER\CA_NAME" -getreg CA\CRLPublicationURLs

Modify CA Configuration Settings

certutil -config "CA_SERVER\CA_NAME" -setreg "CA\CRLPeriod" "1 Years"
certutil -config "CA_SERVER\CA_NAME" -setreg "CA\CRLDeltaPeriod" "1 Days"

Issue a Rogue Certificate

certreq -submit -attrib "CertificateTemplate:SubCA" -config "CA_SERVER\CA_NAME" request.inf
Detection
  • Implement comprehensive auditing for all changes to PKI objects
  • Monitor and alert on modifications to CA configuration
  • Regularly review access control lists (ACLs) on PKI objects
  • Use security information and event management (SIEM) tools to correlate PKI-related activities
Event IDs
  • 4882: The security permissions for Certificate Services changed
  • 4885: The audit filter for Certificate Services changed
  • 4890: The certificate manager settings for Certificate Services changed
Mitigation and AD CS Security Best Practices

To mitigate ESC5: Vulnerable PKI Object Access Control and enhance overall AD CS security, consider implementing the following measures:

  • Implement strict access controls on PKI objects
  • Regular audit of CA configuration changes
  • Implement separation of duties for PKI management
  • Use of Protected Groups for PKI administrators
  • Implement change management processes for CA configuration changes
  • Regularly conduct AD CS penetration testing to identify and address vulnerabilities
  • Implement the principle of least privilege across your AD CS infrastructure
  • Maintain up-to-date documentation of your AD CS configuration and security policies
Sponsored Content
Advertisement

Related AD CS Attacks

Explore other attack vectors that target Active Directory Certificate Services:

Diagram illustrating ESC15 attack vector with vulnerable certificate request handling
ESC15: Vulnerable Certificate Request Handling
Critical
ESC15 targets vulnerabilities in how certificate requests are processed and validated, potentially allowing attackers to manipulate request data and obtain unauthorized certificates.
Diagram illustrating ESC14 attack vector with vulnerable certificate renewal configuration
ESC14: Vulnerable Certificate Renewal Configuration
High
ESC14 exploits misconfigured certificate renewal settings, allowing attackers to renew compromised certificates or maintain long-term access to sensitive resources.
Diagram illustrating ESC3 attack vector with misconfigured Enrollment Agent restrictions
ESC3: Misconfigured Enrollment Agent Restrictions
High
ESC3 takes advantage of misconfigured Enrollment Agent restrictions, allowing an attacker with Enrollment Agent privileges to request certificates for accounts they shouldn't have access to.