ESC11: Vulnerable Certificate Issuance Policy
ESC11 exploits misconfigured certificate issuance policies, allowing attackers to obtain certificates that should be restricted, potentially leading to unauthorized access or privilege escalation.
ESC11 targets misconfigured certificate issuance policies in AD CS. When these policies are not properly set or enforced, attackers can request and obtain certificates that should be restricted to specific users or groups. This can lead to unauthorized access to sensitive resources or even privilege escalation within the domain.
Learn more about AD CS defense strategies to protect against this and other attacks.
- Issuance of certificates with elevated privileges
- Bypass of intended security controls
- Potential for lateral movement and privilege escalation
- Undermining of the entire certificate-based security model
- Identify vulnerabilities in certificate issuance policies
- Request certificates that should be restricted
- Use obtained certificates for unauthorized access or privilege escalation
- Exploit weak policy enforcement to obtain high-privilege certificates
When conducting AD CS penetration testing, consider the following aspects specific to ESC11: Vulnerable Certificate Issuance Policy:
- Identify vulnerable certificate templates and misconfigurations
- Assess the potential impact on the overall AD CS security
- Evaluate the effectiveness of existing security controls
- Test for the ability to exploit this vulnerability in the target environment
- Document findings and provide actionable remediation steps
Enumerate certificate templates and their issuance policies
certutil -v -template | findstr /i "msPKI-Certificate-Name-Flag" | findstr /i "ENROLLEE_SUPPLIES_SUBJECT"Get-CertificateTemplate | Where-Object {$_.CertificateNameFlag -band 1} | Select-Object Name, CertificateNameFlagRequest a certificate using a vulnerable template
certreq -submit -attrib "CertificateTemplate:VulnerableTemplate" -attrib "SAN:[email protected]" request.infUse Certify to find and exploit vulnerable templates
.\Certify.exe find /vulnerable /template:*.\Certify.exe request /ca:dc.domain.com\CA-NAME /template:VulnerableTemplate /altname:administrator- Implement comprehensive logging for all certificate issuance activities
- Use security information and event management (SIEM) tools to monitor certificate requests
- Regularly audit certificate issuance logs for anomalies
- Implement alerting for unusual certificate issuance patterns
- Conduct periodic reviews of certificate issuance policies
- 4886: Certificate Services approved a certificate request
- 4887: Certificate Services denied a certificate request
- 4890: The certificate manager settings for Certificate Services changed
- 5136: A directory service object was modified (for monitoring policy changes)
To mitigate ESC11: Vulnerable Certificate Issuance Policy and enhance overall AD CS security, consider implementing the following measures:
- Implement and regularly review certificate issuance policies
- Use role-based access control for certificate requests
- Implement automated policy enforcement mechanisms
- Regularly audit certificate issuance logs
- Implement strong authentication for certificate requests
- Regularly conduct AD CS penetration testing to identify and address vulnerabilities
- Implement the principle of least privilege across your AD CS infrastructure
- Maintain up-to-date documentation of your AD CS configuration and security policies
Related AD CS Attacks
Explore other attack vectors that target Active Directory Certificate Services:
