ESC9: No Security Extension
ESC9 takes advantage of certificate templates that don't specify the Extended Key Usage extension, potentially allowing certificates to be used for any purpose, including authentication.
ESC9 exploits certificate templates that lack the Extended Key Usage (EKU) extension. Without this extension, certificates can potentially be used for any purpose, including authentication, even if that wasn't the original intent. This can lead to misuse of certificates and potential security breaches.
Learn more about AD CS defense strategies to protect against this and other attacks.
- Misuse of certificates for unintended purposes
- Potential for authentication bypass
- Increased attack surface for lateral movement
- Difficulty in enforcing proper certificate usage
- Identify certificate templates without specified EKU
- Enroll in these templates to obtain versatile certificates
- Use the obtained certificates for unintended purposes (e.g., authentication)
- Exploit the lack of restrictions to gain unauthorized access
When conducting AD CS penetration testing, consider the following aspects specific to ESC9: No Security Extension:
- Identify vulnerable certificate templates and misconfigurations
- Assess the potential impact on the overall AD CS security
- Evaluate the effectiveness of existing security controls
- Test for the ability to exploit this vulnerability in the target environment
- Document findings and provide actionable remediation steps
Enumerate certificate templates without EKU
certutil -v -template | findstr /i "pKIExtendedKeyUsage" | findstr /v /i "1.3.6.1.5.5.7.3"Get-CertificateTemplate | Where-Object {$_.ExtendedKeyUsage -eq $null} | Select-Object NameRequest a certificate from a template without EKU
certreq -submit -attrib "CertificateTemplate:VulnerableTemplate" request.infGet-Certificate -Template VulnerableTemplate -CertStoreLocation Cert:\CurrentUser\MyUse Certify to find and exploit vulnerable templates
.\Certify.exe find /vulnerable /template:*.\Certify.exe request /ca:dc.domain.com\CA-NAME /template:VulnerableTemplate- Regularly audit certificate templates for missing or misconfigured EKU
- Monitor for unusual certificate usage patterns
- Implement logging and alerting for certificate enrollments in sensitive templates
- Use security information and event management (SIEM) tools to correlate certificate-related events
- Conduct periodic security assessments of the PKI infrastructure
- 4886: Certificate Services approved a certificate request
- 4887: Certificate Services denied a certificate request
- 5136: A directory service object was modified (for monitoring template changes)
To mitigate ESC9: No Security Extension and enhance overall AD CS security, consider implementing the following measures:
- Ensure all certificate templates specify appropriate Extended Key Usage
- Regular audit of certificate template configurations
- Implement strict certificate usage policies
- Use security descriptors to limit who can enroll in sensitive templates
- Implement certificate path validation in applications
- Regularly conduct AD CS penetration testing to identify and address vulnerabilities
- Implement the principle of least privilege across your AD CS infrastructure
- Maintain up-to-date documentation of your AD CS configuration and security policies
Related AD CS Attacks
Explore other attack vectors that target Active Directory Certificate Services:
