Detecting ESC7 and ESC16 Misconfigurations in Active Directory Certificate Services with Locksmith

By /

Listen to this Post

Featured Image
Source: GitHub – jakehildreth/Locksmith

Active Directory Certificate Services (AD CS) is a critical component in enterprise environments, but misconfigurations can lead to severe security risks like ESC7 (Enterprise SubCA Certificate Template Abuse) and the newly discovered ESC16 (AD CS Relay Attack). Jake Hildreth’s Locksmith tool now includes detections for these vulnerabilities.

You Should Know:

1. Understanding ESC7 & ESC16 Risks

  • ESC7 allows attackers to issue fraudulent certificates by exploiting weak SubCA certificate template permissions.
  • ESC16 enables NTLM relay attacks against AD CS HTTP endpoints, leading to domain compromise.

2. Install Locksmith for Detection

Clone the repository and run the tool:

git clone https://github.com/jakehildreth/Locksmith.git 
cd Locksmith 
Import-Module .\Locksmith.ps1 
Invoke-Locksmith -CheckESC7 -CheckESC16

3. Manual Detection Commands (PowerShell)

Check for vulnerable certificate templates (ESC7):

Get-ADObject -SearchBase (Get-ADRootDSE).ConfigurationNamingContext -LDAPFilter "(objectClass=pKICertificateTemplate)" -Properties  | Where-Object { $<em>.mspki-certificate-name -like "SubCA" -and $</em>.mspki-enrollment-flag -match "AUTOENROLLMENT" }

Check HTTP-based AD CS endpoints vulnerable to ESC16:

Get-ADObject -SearchBase (Get-ADRootDSE).ConfigurationNamingContext -LDAPFilter "(objectClass=pKIEnrollmentService)" -Properties  | Select-Object dNSHostName, msPKI-Enrollment-Servers

4. Mitigation Steps

  • For ESC7: Restrict Enroll and AutoEnroll permissions on SubCA templates.
  • For ESC16: Disable HTTP-based enrollment or enforce SMB signing/NTLM mitigations.

5. Verify Fixes

Re-run Locksmith or manually check templates:

certutil -template | findstr /i "SubCA"

What Undercode Say:

AD CS misconfigurations are a goldmine for attackers. Tools like Locksmith help automate detection, but manual verification remains crucial. Always:
– Audit certificate templates (certutil -v -template).
– Monitor CA logs (Get-WinEvent -LogName "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational").
– Enforce Least Privilege on enrollment rights.

For advanced hardening, consider:

 Disable vulnerable web enrollment (Linux/WSL) 
curl -X POST http://ADCS-Server/certsrv/ -d "DisableHTTP=1"

Expected Output:

  • List of vulnerable templates (ESC7).
  • HTTP endpoints exposed (ESC16).
  • Mitigation status confirmation.

Prediction:

As AD CS attacks gain traction, expect more offensive tools leveraging ESC7/ESC16. Proactive detection and hardening will be critical in 2024.

(End of )

References:

Reported By: Jakehildreth Github – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: