ESC6: ADCS Backup Extraction
ESC6 involves extracting and abusing ADCS backups to gain unauthorized access to the CA's private keys, potentially allowing an attacker to issue any certificate or decrypt intercepted communications.
ESC6 targets the backups of Active Directory Certificate Services (ADCS). If an attacker can gain access to these backups and they are not properly secured, they may be able to extract the Certificate Authority's private keys. This would allow the attacker to issue any certificate they want or potentially decrypt communications that were encrypted using certificates from the compromised CA.
Learn more about AD CS defense strategies to protect against this and other attacks.
- Unauthorized access to CA private keys
- Ability to issue any certificate
- Potential to decrypt all historical encrypted communications
- Complete compromise of the PKI trust model
- Locate and access ADCS backup files
- Extract the CA's private keys from the backup
- Use the extracted keys to issue rogue certificates or decrypt communications
- Potentially set up a rogue CA to issue certificates
When conducting AD CS penetration testing, consider the following aspects specific to ESC6: ADCS Backup Extraction:
- Identify vulnerable certificate templates and misconfigurations
- Assess the potential impact on the overall AD CS security
- Evaluate the effectiveness of existing security controls
- Test for the ability to exploit this vulnerability in the target environment
- Document findings and provide actionable remediation steps
Locate ADCS Backup Files
dir C:\Windows\System32\CertSrv\CertEnroll\*.p12Get-ChildItem -Path C:\Windows\System32\CertSrv\CertEnroll -Filter *.p12 -RecurseExtract Private Key from Backup
certutil -exportpfx "CA_NAME" "C:\temp\ca_backup.pfx"certutil -p "password" -exportpfx "CA_NAME" "C:\temp\ca_backup.pfx"Use Extracted Key to Issue a Rogue Certificate
makecert -n "CN=RogueAdmin" -pe -ss My -sr LocalMachine -sky exchange -in "CA_NAME" -is MY -iv ca_backup.pfx -ic CA.cer RogueAdmin.cer- Monitor access to ADCS backup files
- Implement auditing for all backup and restore operations
- Use file integrity monitoring on backup storage locations
- Monitor for unusual certificate issuance patterns
- Implement network segmentation to isolate backup storage
- 4898: Certificate Services loaded a template
- 4899: Certificate Services template was updated
- 5137: A directory service object was created (for monitoring new CA objects)
To mitigate ESC6: ADCS Backup Extraction and enhance overall AD CS security, consider implementing the following measures:
- Implement strong encryption and access controls for ADCS backups
- Regular rotation of CA keys
- Implement secure key management practices
- Use Hardware Security Modules (HSMs) for key storage
- Implement strict backup and recovery procedures
- Regularly conduct AD CS penetration testing to identify and address vulnerabilities
- Implement the principle of least privilege across your AD CS infrastructure
- Maintain up-to-date documentation of your AD CS configuration and security policies
Related AD CS Attacks
Explore other attack vectors that target Active Directory Certificate Services:
