Active Directory Certificate Services Attacks: ESC1 through ESC11

Cybersecurity

AD CS misconfigurations are the highest-impact attack surface in modern Windows. A reference walkthrough of ESC1 through ESC11, Certify, Certipy, and CVE-2022-26923.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 30, 2024 · 13 min read

SpecterOps published Certified Pre-Owned in mid 2021 and changed the way every red team approaches Active Directory. AD CS, the Microsoft PKI role that sits quietly in most enterprises, turns out to be a sprawling privilege escalation surface. The escalation paths labelled ESC1 through ESC11 are now standard checklist items. Most networks still have at least one of them open.

Tooling

• Certify.exe by SpecterOps for Windows enumeration and request
• Certipy by ly4k for the full Linux workflow, including ESC1 through ESC11 and the noPac shadow credentials path
• PSPKIAudit for defender-side enumeration
• certutil.exe for native enumeration when tooling is restricted

ESC1: Templates that let you specify Subject

A template where mspki-certificate-name-flag includes ENROLLEE_SUPPLIES_SUBJECT and clientAuth EKU is enabled lets a low-privilege user request a certificate in the name of anyone, including Domain Admins. Then authenticate via Kerberos PKINIT.

certipy req -u low@corp.local -p Password1 -ca CORP-CA -template VulnerableTemplate -upn administrator@corp.local

ESC2: Any Purpose templates

Templates with EKU Any Purpose or no EKU at all can sign anything, including new certificates. Useful for forging client certificates downstream.

ESC3: Enrollment Agent

An enrollment agent template plus a Certificate Request Agent EKU lets the holder enroll on behalf of any user. Request an agent cert, then use it to request a client auth cert as a target.

ESC4: Template ACL takeover

If a low-privilege principal has GenericAll or WriteDACL on a certificate template object, they can rewrite the template into an ESC1 condition and then exploit it. Certipy can flip the template in place.

ESC5: CA object ACLs

ACL abuse on the CA itself, its server object, or related PKI containers. Less common, equally severe.

ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2

If this flag is set on the CA, attackers can supply an arbitrary SAN in the request, even on templates that do not allow it. Effectively turns any clientAuth template into ESC1. Patched behaviour in May 2022, but still found on unpatched CAs.

ESC7: CA management rights

ManageCA or ManageCertificates rights on the CA allow approving pending requests or adding officer rights, which leads to issuing arbitrary certificates.

ESC8: NTLM relay to web enrollment

The HTTP web enrollment endpoint accepts NTLM. Coerce a DC with PetitPotam, relay to /certsrv/certfnsh.asp with the DomainController template, get a cert, do DCSync. Covered in our NTLM relay article.

ESC9 and ESC10: UPN mapping abuses

When StrongCertificateBindingEnforcement is not enforced (the CVE-2022-26923 territory), an attacker who controls a user object or a machine account can manipulate the userPrincipalName, request a cert, then revert and authenticate as a different principal. Certifried (CVE-2022-26923) is the canonical machine-account variant.

ESC11: Relay to RPC enrollment without EPA

RPC-based enrollment over IF_ENFORCEENCRYPTICERTREQUEST not set allows NTLM relay similar to ESC8, but over the ICertPassage RPC interface. Found by Sylvain Heiniger.

If you have not run Certipy find against your CA, you do not know what your PKI exposes. The default output is sobering.

Detection

• Event 4886 and 4887 on the CA for issued certificates, correlate with unusual SAN values
• 4768 PKINIT logons from accounts that have never previously authenticated via certificate
• AD CS audit policy enabled at the CA level via certutil -setreg CA\AuditFilter 127

Remediation

1. Run Certipy find or PSPKIAudit and remediate every ESC1 through ESC11 finding before any pentest.
2. Enforce StrongCertificateBindingEnforcement = 2 to block the CVE-2022-26923 class.
3. Disable HTTP web enrollment, or front it with strict client certificate auth and EPA.
4. Remove ENROLLEE_SUPPLIES_SUBJECT from any template with clientAuth EKU.
5. Audit and tier the CA. Treat it as a Tier 0 asset, equivalent to a Domain Controller.

AD CS is the most underestimated path to Domain Admin in modern Windows. The tools to fix it are free, the audit is fast, and the impact is total.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.