ESC5: Vulnerable PKI Object Access Control

High

ESC5 targets vulnerable access controls on PKI objects, allowing attackers to manipulate CA configuration, potentially leading to unauthorized certificate issuance or CA compromise.

Diagram illustrating ESC5 attack vector with vulnerable PKI object access control
ADCS Security Tools - Special Offer
Attack Details

ESC5 exploits weak access controls on PKI objects, such as the CA configuration. This can allow attackers to manipulate critical PKI settings, potentially leading to unauthorized certificate issuance or even complete compromise of the Certificate Authority.

Learn more about AD CS defense strategies to protect against this and other attacks.

Impact
  • Unauthorized changes to CA configuration
  • Issuance of rogue certificates
  • Potential complete compromise of the PKI infrastructure
  • Loss of trust in the entire certificate ecosystem
Exploitation Steps
  1. Identify PKI objects with weak access controls
  2. Modify CA configuration settings (e.g., validity period, issuance policies)
  3. Issue rogue certificates or manipulate existing ones
  4. Use the compromised PKI infrastructure for further attacks
Penetration Testing Considerations

When conducting AD CS penetration testing, consider the following aspects specific to ESC5: Vulnerable PKI Object Access Control:

  • Identify vulnerable certificate templates and misconfigurations
  • Assess the potential impact on the overall AD CS security
  • Evaluate the effectiveness of existing security controls
  • Test for the ability to exploit this vulnerability in the target environment
  • Document findings and provide actionable remediation steps
Command Examples

Enumerate PKI Objects with Weak Access Controls

dsacls "CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com"
certutil -config "CA_SERVER\CA_NAME" -getreg CA\CRLPublicationURLs

Modify CA Configuration Settings

certutil -config "CA_SERVER\CA_NAME" -setreg "CA\CRLPeriod" "1 Years"
certutil -config "CA_SERVER\CA_NAME" -setreg "CA\CRLDeltaPeriod" "1 Days"

Issue a Rogue Certificate

certreq -submit -attrib "CertificateTemplate:SubCA" -config "CA_SERVER\CA_NAME" request.inf
Detection
  • Implement comprehensive auditing for all changes to PKI objects
  • Monitor and alert on modifications to CA configuration
  • Regularly review access control lists (ACLs) on PKI objects
  • Use security information and event management (SIEM) tools to correlate PKI-related activities
Event IDs
  • 4882: The security permissions for Certificate Services changed
  • 4885: The audit filter for Certificate Services changed
  • 4890: The certificate manager settings for Certificate Services changed
Mitigation and AD CS Security Best Practices

To mitigate ESC5: Vulnerable PKI Object Access Control and enhance overall AD CS security, consider implementing the following measures:

  • Implement strict access controls on PKI objects
  • Regular audit of CA configuration changes
  • Implement separation of duties for PKI management
  • Use of Protected Groups for PKI administrators
  • Implement change management processes for CA configuration changes
  • Regularly conduct AD CS penetration testing to identify and address vulnerabilities
  • Implement the principle of least privilege across your AD CS infrastructure
  • Maintain up-to-date documentation of your AD CS configuration and security policies
Sponsored Content
Advertisement

Related AD CS Attacks

Explore other attack vectors that target Active Directory Certificate Services:

Diagram illustrating ESC12 attack vector with vulnerable certificate revocation configuration
ESC12: Vulnerable Certificate Revocation Configuration
Critical
ESC12 targets misconfigured or absent certificate revocation mechanisms, allowing attackers to continue using compromised or expired certificates for malicious purposes.
Diagram illustrating ESC9 attack vector with missing Extended Key Usage
ESC9: No Security Extension
High
ESC9 takes advantage of certificate templates that don't specify the Extended Key Usage extension, potentially allowing certificates to be used for any purpose, including authentication.
Diagram illustrating ESC13 attack vector with vulnerable key archival configuration
ESC13: Vulnerable Key Archival Configuration
High
ESC13 exploits misconfigured key archival settings, potentially allowing unauthorized access to archived private keys, leading to decryption of sensitive data or impersonation attacks.