ESC5: Vulnerable PKI Object Access Control
ESC5 targets vulnerable access controls on PKI objects, allowing attackers to manipulate CA configuration, potentially leading to unauthorized certificate issuance or CA compromise.
ESC5 exploits weak access controls on PKI objects, such as the CA configuration. This can allow attackers to manipulate critical PKI settings, potentially leading to unauthorized certificate issuance or even complete compromise of the Certificate Authority.
Learn more about AD CS defense strategies to protect against this and other attacks.
- Unauthorized changes to CA configuration
- Issuance of rogue certificates
- Potential complete compromise of the PKI infrastructure
- Loss of trust in the entire certificate ecosystem
- Identify PKI objects with weak access controls
- Modify CA configuration settings (e.g., validity period, issuance policies)
- Issue rogue certificates or manipulate existing ones
- Use the compromised PKI infrastructure for further attacks
When conducting AD CS penetration testing, consider the following aspects specific to ESC5: Vulnerable PKI Object Access Control:
- Identify vulnerable certificate templates and misconfigurations
- Assess the potential impact on the overall AD CS security
- Evaluate the effectiveness of existing security controls
- Test for the ability to exploit this vulnerability in the target environment
- Document findings and provide actionable remediation steps
Enumerate PKI Objects with Weak Access Controls
dsacls "CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com"certutil -config "CA_SERVER\CA_NAME" -getreg CA\CRLPublicationURLsModify CA Configuration Settings
certutil -config "CA_SERVER\CA_NAME" -setreg "CA\CRLPeriod" "1 Years"certutil -config "CA_SERVER\CA_NAME" -setreg "CA\CRLDeltaPeriod" "1 Days"Issue a Rogue Certificate
certreq -submit -attrib "CertificateTemplate:SubCA" -config "CA_SERVER\CA_NAME" request.inf- Implement comprehensive auditing for all changes to PKI objects
- Monitor and alert on modifications to CA configuration
- Regularly review access control lists (ACLs) on PKI objects
- Use security information and event management (SIEM) tools to correlate PKI-related activities
- 4882: The security permissions for Certificate Services changed
- 4885: The audit filter for Certificate Services changed
- 4890: The certificate manager settings for Certificate Services changed
To mitigate ESC5: Vulnerable PKI Object Access Control and enhance overall AD CS security, consider implementing the following measures:
- Implement strict access controls on PKI objects
- Regular audit of CA configuration changes
- Implement separation of duties for PKI management
- Use of Protected Groups for PKI administrators
- Implement change management processes for CA configuration changes
- Regularly conduct AD CS penetration testing to identify and address vulnerabilities
- Implement the principle of least privilege across your AD CS infrastructure
- Maintain up-to-date documentation of your AD CS configuration and security policies
Related AD CS Attacks
Explore other attack vectors that target Active Directory Certificate Services:
