Enterprise Security Certificate Attacks
An Enterprise Security Certificate attack exploits mis-configures certificate templates in ADCS to grant attackers additional privileges.
Attackers first locate the AD CD infrastructure and the CA server, then enumerate vulnerable templates that have weak security descriptors, allow low-privileged users to enrol for high-privilege certificates, or issue certificates without subject constraints.
Attackers may look for misconfigured templates such as: - Weak or non restrictive ACLs - Templates allowing Client Authentication or Enrollment for low-privileged users. - Templates that allow certificates to be issued without subject name constraints.
This can be performed using built in tooling such as certutil.exe, or external tooling such as certipy or certify.
Certificate Templates are predefined configurations that define the settings and constraints for certificates issued by a CA. These allow administrators to standardise and automate the issuance of certificates across the enterprise environment by specifying the key properties, permissions, and usage scenarios for certificates.
Attack Scenarios
- ESC1 - Certificate Template Vulnerability Abuse
- ESC2 - Misconfigured Certificate Templates
- ESC3 - Enrolment Agent Templates
- ESC4 - Vulnerable Certificate Template Access Control
- ESC5 - Vulnerable PKI Object Access Control
- ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2
- ESC7 - Vulnerable Certificate Authority Access Control
- ESC8 - NTLM Relay to AD CS HTTP Endpoints
Further scenarios have been discussed, this will be updated.