privilege escalation in AD CS Attacks
privilege escalation is a key concept in Active Directory Certificate Services (AD CS) security. It is involved in several attack vectors that can potentially compromise the security of an AD CS infrastructure.
Related Attacks
ESC1 exploits overly permissive enrollment rights in certificate templates, allowing low-privileged users to enroll in certificates that can be used for authentication, potentially leading to privilege escalation.
ESC2 abuses misconfigured Enrollment Agent templates, allowing an attacker to request certificates on behalf of other users, potentially leading to privilege escalation and unauthorized access.
ESC3 takes advantage of misconfigured Enrollment Agent restrictions, allowing an attacker with Enrollment Agent privileges to request certificates for accounts they shouldn't have access to, potentially leading to privilege escalation.
To mitigate attacks related to privilege escalation, consider the following strategies:
- Regularly audit and review all certificate templates
- Implement the principle of least privilege for certificate template configurations
- Use security groups to control enrollment permissions
- Enable and configure certificate request logging
- Implement strong access controls on certificate templates and CA configurations
- Review and restrict access to Enrollment Agent templates
- Implement strict controls on who can act as an Enrollment Agent
- Monitor and audit certificate requests, especially those made on behalf of other users
- Implement proper certificate lifecycle management
- Use strong authentication for Enrollment Agents
- Implement and regularly review Enrollment Agent restrictions
- Limit the scope of accounts that Enrollment Agents can request certificates for
- Implement strong authentication and auditing for Enrollment Agent activities
- Regularly review and rotate Enrollment Agent certificates
- Monitor for suspicious certificate enrollment patterns