ADCS (II): Attack Paths
AD CS: Summary of Attack Paths (ESCs)
This post provides an overview of the documented Enterprise Security Configurations (ESCs) that illustrate various attack paths in Active Directory Certificate Services (AD CS). These scenarios demonstrate how misconfigurations or overly permissive settings can be exploited to escalate privileges or maintain persistent access within a Windows domain.
ESC1: Poorly Configured Templates (Broad EKU or Unrestricted)
- Description:
Templates with overly broad EKUs or insufficient restrictions allow users to request certificates that can be used to impersonate privileged accounts. - References:
ESC2: Abuse of the Enrollment Agent Template
- Description:
The Enrollment Agent template allows enrollment on behalf of other users. Abuse of this feature can enable an attacker to issue certificates for any account, including high-privilege ones. - References:
ESC3: Subject Alternative Name (SAN) Controlled by the Requester
- Description:
Allowing the requester to control the SAN (e.g., viaENROLLEE_SUPPLIES_SUBJECT) enables the issuance of certificates with UPNs or SIDs of privileged accounts. - References:
ESC4: Combination of Enrollment Agent and SAN Control
- Description:
Combining the ability to enroll on behalf of others with control over the SAN allows attackers to forge certificates for any identity. - References:
ESC5: Templates with Overly Permissive EKUs or “Any Purpose”
- Description:
Templates that use an “Any Purpose” EKU or combine multiple high-privilege EKUs (such as Server Authentication, Client Authentication, and Smart Card Logon) may be exploited for unintended uses. - References:
ESC6: Excessive Permissions on the Template
- Description:
When broad groups (e.g., “Authenticated Users”) are granted enrollment rights on high-privilege templates, any regular user could potentially obtain a certificate that provides unauthorized access. - References:
ESC7: Improper Use of UPN Attributes in Certificates
- Description:
Failing to properly validate the User Principal Name (UPN) in a certificate request allows attackers to forge certificates with UPNs belonging to higher-privilege accounts. - References:
ESC8: NTLM Relay to AD CS Web Enrollment Endpoints
- Description:
NTLM relay attacks (e.g., via PetitPotam) can redirect authentication to the AD CS Web Enrollment interface, allowing an attacker to request certificates on behalf of a victim. - References:
ESC9: Vulnerable Subordinate or Offline CA Configurations
- Description:
A compromised subordinate or offline CA with weak security can enable an attacker to issue arbitrary certificates for any identity in the domain. - References:
ESC10: Misuse of Domain Controller Certificate Templates
- Description:
If templates intended for Domain Controllers are not properly restricted, attackers may issue certificates that allow them to impersonate a domain controller and gain near-total control. - References:
ESC11: Lack of Validation or Monitoring in Certificate Issuance
- Description:
A CA that issues certificates without sufficient approval or logging allows an attacker to obtain certificates unnoticed, facilitating persistence and lateral movement. - References:
ESC12: Poorly Managed Revocation and Expiration
- Description:
Certificates with long validity periods or weak revocation processes can allow compromised certificates to remain valid long after security measures have changed. - References:
ESC13: Abuse of msDS-KeyCredentialLink (Shadow Credentials)
- Description:
Exploiting the ability to modify themsDS-KeyCredentialLinkattribute enables an attacker to associate their own key with a target account, bypassing password-based authentication. - References:
ESC14: Advanced Abuse of Public Key Configurations and Permissions
- Description:
This scenario involves manipulating public key pairs and authentication settings to bypass traditional controls, enabling persistent access and privilege escalation. - References: