ESC13: Vulnerable Key Archival Configuration

High

ESC13 exploits misconfigured key archival settings, potentially allowing unauthorized access to archived private keys, leading to decryption of sensitive data or impersonation attacks.

Diagram illustrating ESC13 attack vector with vulnerable key archival configuration
ADCS Security Tools - Special Offer
Attack Details

ESC13 targets vulnerabilities in the key archival configuration of AD CS. When key archival is not properly secured, attackers may gain access to archived private keys. This can lead to the decryption of sensitive historical data or allow attackers to impersonate legitimate users by renewing their certificates.

Learn more about AD CS defense strategies to protect against this and other attacks.

Impact
  • Unauthorized access to archived private keys
  • Potential decryption of historical encrypted communications
  • Identity impersonation and unauthorized certificate renewal
  • Compromise of long-term data confidentiality
Exploitation Steps
  1. Identify vulnerabilities in key archival configurations
  2. Gain unauthorized access to key archival systems
  3. Extract archived private keys
  4. Use extracted keys for decryption or certificate renewal attacks
Penetration Testing Considerations

When conducting AD CS penetration testing, consider the following aspects specific to ESC13: Vulnerable Key Archival Configuration:

  • Identify vulnerable certificate templates and misconfigurations
  • Assess the potential impact on the overall AD CS security
  • Evaluate the effectiveness of existing security controls
  • Test for the ability to exploit this vulnerability in the target environment
  • Document findings and provide actionable remediation steps
Command Examples

Check if key archival is enabled on the CA

certutil -config "CA_SERVER\CA_NAME" -getreg CA\DoNotStoreEncryptedKeysOnDisk

List Key Recovery Agents

certutil -config "CA_SERVER\CA_NAME" -getreg CA\KeyRecoveryAgents

Request a certificate with archived keys

certreq -submit -attrib "CertificateTemplate:UserWithArchivedKey" request.inf

Attempt to recover an archived key (requires appropriate permissions)

certutil -config "CA_SERVER\CA_NAME" -getkey <serial_number> keyfile.pvk
Detection
  • Implement comprehensive logging for all key archival operations
  • Monitor access attempts to key archival systems
  • Regularly audit key recovery and usage logs
  • Implement alerting for unusual key recovery or usage patterns
  • Conduct periodic security assessments of key archival infrastructure
Event IDs
  • 4884: Certificate Services retrieved an archived key
  • 4887: Certificate Services denied a certificate request
  • 5136: A directory service object was modified (for monitoring key archival configuration changes)
Mitigation and AD CS Security Best Practices

To mitigate ESC13: Vulnerable Key Archival Configuration and enhance overall AD CS security, consider implementing the following measures:

  • Implement strong access controls for key archival systems
  • Use hardware security modules (HSMs) for key protection
  • Regular audit and rotation of archived keys
  • Implement strict key recovery procedures
  • Encrypt archived keys with strong, regularly rotated encryption keys
  • Regularly conduct AD CS penetration testing to identify and address vulnerabilities
  • Implement the principle of least privilege across your AD CS infrastructure
  • Maintain up-to-date documentation of your AD CS configuration and security policies
Sponsored Content
Advertisement

Related AD CS Attacks

Explore other attack vectors that target Active Directory Certificate Services:

Diagram illustrating ESC1 attack vector
ESC1: Misconfigured Certificate Templates
Critical
ESC1 exploits overly permissive enrollment rights in certificate templates, allowing low-privileged users to enroll in certificates that can be used for authentication, potentially leading to privilege escalation.
Diagram illustrating ESC4 attack vector with vulnerable certificate template access control
ESC4: Vulnerable Certificate Template Access Control
Critical
ESC4 exploits vulnerable access controls on certificate templates, allowing attackers to modify high-privileged templates and create malicious certificates for privilege escalation.
Diagram illustrating ESC6 attack vector with ADCS backup extraction
ESC6: ADCS Backup Extraction
Critical
ESC6 involves extracting and abusing ADCS backups to gain unauthorized access to the CA's private keys, potentially allowing an attacker to issue any certificate or decrypt intercepted communications.