ESC4: Vulnerable Certificate Template Access Control
ESC4 exploits vulnerable access controls on certificate templates, allowing attackers to modify high-privileged templates and create malicious certificates for privilege escalation.
ESC4 targets the access controls on certificate templates, particularly those used for high-privileged accounts. If an attacker can modify these templates, they can create certificates that grant elevated privileges, potentially leading to complete domain compromise.
Learn more about AD CS defense strategies to protect against this and other attacks.
- Unauthorized modification of certificate templates
- Creation of malicious high-privileged certificates
- Complete domain compromise
- Persistent backdoor access to the AD infrastructure
- Identify certificate templates with weak access controls
- Modify the template to enable dangerous settings (e.g., client authentication, enrollee supplies subject)
- Enroll in the modified template to obtain a high-privileged certificate
- Use the certificate for authentication and privilege escalation
When conducting AD CS penetration testing, consider the following aspects specific to ESC4: Vulnerable Certificate Template Access Control:
- Identify vulnerable certificate templates and misconfigurations
- Assess the potential impact on the overall AD CS security
- Evaluate the effectiveness of existing security controls
- Test for the ability to exploit this vulnerability in the target environment
- Document findings and provide actionable remediation steps
Enumerate Certificate Templates with Weak Access Controls
certutil -v -template | findstr /i "pKIExtendedKeyUsage" | findstr /i "1.3.6.1.5.5.7.3.2".\Certify.exe find /vulnerable /template:*Modify Certificate Template
dsacls "CN=VulnerableTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" /G "DOMAIN\User:WDAC;;FULL"Request Certificate Using Modified Template
certreq -submit -attrib "CertificateTemplate:VulnerableTemplate" request.inf.\Certify.exe request /ca:dc.domain.com\CA-NAME /template:VulnerableTemplate- Monitor and alert on changes to certificate templates, especially those used for privileged accounts
- Implement auditing for all certificate template modifications
- Regularly review access control lists (ACLs) on certificate templates
- Use automated tools to check for misconfigurations in template settings
- 5136: A directory service object was modified (for monitoring template changes)
- 4662: An operation was performed on an object (for monitoring template access)
- 4670: Permissions on an object were changed (for monitoring template permission changes)
To mitigate ESC4: Vulnerable Certificate Template Access Control and enhance overall AD CS security, consider implementing the following measures:
- Implement strict access controls on certificate templates
- Regular audit of template modifications
- Use of Protected Groups for high-privileged certificate templates
- Implement change management processes for template modifications
- Use security descriptors to limit who can enroll in sensitive templates
- Regularly conduct AD CS penetration testing to identify and address vulnerabilities
- Implement the principle of least privilege across your AD CS infrastructure
- Maintain up-to-date documentation of your AD CS configuration and security policies
Related AD CS Attacks
Explore other attack vectors that target Active Directory Certificate Services:
