Knowledge Graph

account_tree fullscreen

ESC5 Vulnerable PKI Object Access Control

Performed after gaining access as local admin to CA server. From SpectorOps:

a number of objects outside of certificate templates and the certificate authority itself can have a security impact on the entire AD CS system.
These possibilities include (but are not limited to):
- CA server’s AD computer object (i.e., compromise through RBCD)
- The CA server’s RPC/DCOM server
- Any descendant AD object or container in the container **CN=Public Key Services,CN=Services,CN=Configuration,DC=<COMPANY>,DC=<COM>** (e.g., the Certificate Templates container, Certification Authorities container, the NTAuthCertificates object, the Enrollment Services container, etc.)

Configuration

To be vulnerable to ESC5, we have the following requirements: - Certificate Authority Server as part of the Domain - Local Admin access on the CA server - Low Privileged Domain User

Once access gained, can forge a Golden Certificate. These are forged using CA certificate and private key. Once generated, the attacker can extract password hash and Kerberos ticket for the account.