The AD CS ESC1 Vulnerability: How a Single Misconfiguration Can Lead to Full Domain Compromise

Listen to this Post

Featured Image

Introduction:

Active Directory Certificate Services (AD CS) is a critical component for managing Public Key Infrastructure (PKI) in Windows environments. However, a specific misconfiguration known as ESC1 can transform this security backbone into a weapon for attackers. This vulnerability allows a standard domain user to request a certificate with domain administrator privileges, enabling a swift and stealthy path to total domain control.

Learning Objectives:

  • Understand the core components and misconfigurations that enable the ESC1 attack vector.
  • Learn to identify vulnerable AD CS certificate templates through reconnaissance techniques.
  • Master the exploitation process and implement definitive mitigation strategies to secure your environment.

You Should Know:

1. Reconnaissance with Certify

The first step is identifying certificate templates vulnerable to ESC1. These templates typically have the `ENROLLEE_SUPPLIES_SUBJECT` flag enabled and allow for client authentication.

`Certify.exe find /vulnerable`

Step-by-step guide:

  1. Download and compile the Certify tool from the GhostPack GitHub repository.
  2. Execute the command from a command prompt on a domain-joined machine with any valid domain user credentials.
  3. The tool will query the AD CS environment and list all certificate templates. Look for templates where the `ENROLLEE_SUPPLIES_SUBJECT` flag is present and that permit client authentication. This combination is the hallmark of an ESC1-vulnerable template.

2. Enumerating with PowerShell and LDAP

For environments where deploying third-party tools is not immediately possible, you can use native PowerShell to query Active Directory.

`Get-ADObject -LDAPFilter “(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(mspki-ra-signature=0)(|(mspki-certificate-name-flag=1)(mspki-certificate-name-flag=3)(mspki-certificate-name-flag=5)(mspki-certificate-name-flag=7)))” -SearchBase “CN=Configuration,DC=yourdomain,DC=com” -Properties Name, msPKI-Certificate-Name-Flag, msPKI-Enrollment-Flag, msPKI-RA-Signature, msPKI-Cert-Template-OID, pkiextendedkeyusage`

Step-by-step guide:

  1. Open a PowerShell window with a domain user account.
  2. Modify the `-SearchBase` parameter to match your domain’s Distinguished Name (e.g., DC=corp,DC=local).
  3. Execute the command. It filters for templates where the enrollee can supply the subject (msPKI-RA-Signature=0) and the template does not require manager approval (!(mspki-enrollment-flag...:=2)). The results will show the vulnerable template names.

3. Exploitation: Requesting a Domain Admin Certificate

Once a vulnerable template (e.g., “UserTemplate”) is identified, use Certify to request a certificate, specifying a Domain Admin as the Alternative Name.

`Certify.exe request /ca:CA-SERVER\CA-NAME /template:UserTemplate /altname:DomainAdmin`

Step-by-step guide:

  1. From your compromised host, run Certify with the `request` verb.
  2. Specify the Certificate Authority (CA) server and its name with the `/ca:` flag. This information is often found in the initial `find` command’s output.
  3. Identify the vulnerable template name for the `/template:` parameter.
  4. Use the `/altname:` parameter to specify the username of a domain administrator. The tool will contact the CA and request a certificate for this privileged identity.

4. Converting the Certificate for Use

The certificate is often returned in a base64 format. You must convert it to a PFX file that can be used with tools like Rubeus.

`openssl pkcs12 -in certificate.b64 -out certificate.pfx -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1`

Step-by-step guide:

  1. Copy the base64 certificate block (including `–BEGIN CERTIFICATE–` and --END CERTIFICATE--) from the Certify output and save it to a file (e.g., certificate.b64).
  2. Use OpenSSL to convert the file. The specified encryption algorithms ensure compatibility with common offensive security tools.
  3. You will be prompted to create an export password for the PFX file. Remember this password for the next step.

5. Authenticating with the Forged Certificate

With the PFX file, you can now perform Kerberos authentication as the Domain Admin. The Rubeus tool is perfect for this.

`Rubeus.exe asktgt /user:DomainAdmin /certificate:certificate.pfx /password:ThePasswordYouSet /ptt`

Step-by-step guide:

  1. Ensure Rubeus and your newly created `certificate.pfx` are in the same directory or provide the full path.
  2. Execute the command, providing the Domain Admin username, the path to the PFX file, and the password you set during conversion.
  3. The `/ptt` flag is critical; it stands for “Pass the Ticket” and will inject the resulting Kerberos Ticket-Granting-Ticket (TGT) directly into your current session’s memory. You now have a Domain Admin token.

6. Mitigation: Modifying Vulnerable Templates

The primary mitigation is to correct the misconfigurations in the certificate template. This is done through the AD CS management console.

`certsrv.msc`

Step-by-step guide:

1. Open the Certificate Authority management console (`certsrv.msc`).

2. Navigate to “Certificate Templates.”

3. Right-click the vulnerable template and select “Properties.”

  1. Go to the “Subject Name” tab and ensure “Supply in the request” is deselected. Instead, “Build from this Active Directory information” should be selected.
  2. On the “Security” tab, review and tighten enrollment permissions. No standard user should be able to enroll in a template that grants high privileges.

7. Mitigation: Enforcing Manager Approval

For templates that genuinely require flexible subject names, adding an additional layer of approval can prevent automatic exploitation.

Step-by-step guide:

  1. Within the “Issuance Requirements” tab of the certificate template’s properties, check the box for “CA certificate manager approval.”
  2. This forces a manual approval step for every certificate request made against this template, effectively neutralizing automated ESC1 exploitation.
  3. This should be considered a compensating control, as fixing the subject name configuration is the more robust solution.

What Undercode Say:

  • Pervasive and Critical: The ESC1 vulnerability is not an obscure edge case; it is a common finding in enterprise environments due to complex PKI deployment requirements and a historical lack of secure defaults. Its impact is as severe as it gets—direct domain compromise.
  • Stealth is its Superpower: Unlike noisy Kerberos attacks that may generate “Kerberos Golden Ticket” alerts, ESC1 exploitation can be incredibly stealthy. It involves legitimate certificate enrollment requests and results in a valid, short-lived certificate, making it difficult for traditional security tools to detect the malicious intent.

The analysis from the field confirms that this attack vector is a favorite among advanced threat actors during the lateral movement phase. Incident response cases frequently show attackers transitioning from a low-privilege initial compromise to domain admin within minutes using this technique. The reliance on a legitimate, core Windows service makes it a trusted path for attackers. Defenders must shift their mindset to include PKI hygiene as a top priority in their Active Directory security program, treating certificate templates with the same level of scrutiny as Group Policy Objects and user permissions.

Prediction:

The prevalence and power of AD CS vulnerabilities like ESC1 will cement them as a primary tool in the cybercriminal arsenal for the foreseeable future. As defenses improve against more traditional credential dumping and Pass-the-Hash attacks, adversaries will increasingly pivot to these certificate-based attacks, which offer a higher success rate and lower detection probability. We predict a surge in offensive tooling that automates the discovery and exploitation of not just ESC1, but the entire spectrum of AD CS weaknesses, making comprehensive PKI hardening an absolute necessity for any organization relying on Active Directory.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Stephan Berger – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky