๐ Secure Bits ๐ก
๐๐ฒ๐โ๐ ๐ฐ๐ผ๐ป๐๐ถ๐ป๐๐ฒ ๐ผ๐๐ฟ ๐ฑ๐ฒ๐ฒ๐ฝ ๐ฑ๐ถ๐๐ฒ ๐ถ๐ป๐๐ผ ๐๐ฆ๐ ๐๐๐น๐ป๐ฒ๐ฟ๐ฎ๐ฏ๐ถ๐น๐ถ๐๐ถ๐ฒ๐โฆ
Today we look at ESC2ย โ another common, critical misconfiguration in Active Directory Certificate Services.
๐ฏ ๐ช๐ต๐ฎ๐ ๐ถ๐ ๐๐ฆ๐๐ฎ?
ESC2 is a ๐ฐ๐ผ๐บ๐บ๐ผ๐ป ๐๐ ๐๐ฆ ๐บ๐ถ๐๐ฐ๐ผ๐ป๐ณ๐ถ๐ด๐๐ฟ๐ฎ๐๐ถ๐ผ๐ป where a certificate template allows any domain user to request a certificate that:
โช๏ธCan be used for authentication without a password, and
โช๏ธMay allow further abuse to escalate privileges โ including to Domain Admin.
๐๐ฒ๐ฟ๐ฒโ๐ ๐๐ต๐ฒ๐ป ๐ฎ ๐๐ฒ๐บ๐ฝ๐น๐ฎ๐๐ฒ ๐ถ๐ ๐๐๐น๐ป๐ฒ๐ฟ๐ฎ๐ฏ๐น๐ฒ ๐๐ผ ๐๐ฆ๐๐ฎ:
๐งจRegular users have enroll permissions
๐งจManager approval is disabled
๐งจNo authorized signature is required
๐งจThe Extended Key Usage (EKU) is set to Any Purpose or left blank
When ๐๐๐จ ๐ถ๐ ๐ฏ๐น๐ฎ๐ป๐ธ, the certificate ๐ฏ๐ฒ๐ต๐ฎ๐๐ฒ๐ ๐น๐ถ๐ธ๐ฒ ๐ฎ ๐๐๐ฏ๐ผ๐ฟ๐ฑ๐ถ๐ป๐ฎ๐๐ฒ ๐๐ โ meaning it can be used to sign new certificates for any purpose.
โ ๏ธ ๐๐บ๐ฝ๐ผ๐ฟ๐๐ฎ๐ป๐ ๐ฐ๐น๐ฎ๐ฟ๐ถ๐ณ๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป:
These subordinate CA certs are ๐ป๐ผ๐ ๐๐ฟ๐๐๐๐ฒ๐ฑ ๐ณ๐ผ๐ฟ ๐ฑ๐ผ๐บ๐ฎ๐ถ๐ป ๐น๐ผ๐ด๐ผ๐ป ๐ฏ๐ ๐ฑ๐ฒ๐ณ๐ฎ๐๐น๐.
Domain controllers only accept certs from CAs listed in the NTAuth store.
๐๐๐ ๐๐ต๐ถ๐ ๐ฑ๐ผ๐ฒ๐๐ปโ๐ ๐บ๐ฎ๐ธ๐ฒ ๐๐ฆ๐๐ฎ ๐๐ฎ๐ณ๐ฒ:
โฉ Attackers can still use the cert to sign other certs, forge code signing or TLS certs, or abuse enrollment agent templates to request legitimate certificates for privileged accounts โ which are trusted.
This is how ESC2 can lead to ๐ณ๐๐น๐น ๐ฝ๐ฟ๐ถ๐๐ถ๐น๐ฒ๐ด๐ฒ ๐ฒ๐๐ฐ๐ฎ๐น๐ฎ๐๐ถ๐ผ๐ป, despite trust boundaries.
๐ช๐ต๐ ๐ฎ๐๐๐ฎ๐ฐ๐ธ๐ฒ๐ฟ๐ ๐น๐ผ๐๐ฒ ๐๐ฆ๐๐ฎ:
โ
Easy to find
โ
No need for admin rights to exploit
โ
Hard to detect โ no password guessing, no alerts
โ
Certs are long-lived, enabling stealthy persistence
๐ ๏ธ ๐ช๐ฎ๐ป๐ ๐๐ผ ๐๐ฒ๐๐ ๐๐ผ๐๐ฟ ๐ฒ๐ป๐๐ถ๐ฟ๐ผ๐ป๐บ๐ฒ๐ป๐?
Check out tools like:
๐น ADProbe (my security auditing tool)
๐น Locksmith by Jake Hildreth
๐น Certipy
๐น …
๐ฌ ๐๐ถ๐ฑ ๐๐ผ๐ ๐ธ๐ป๐ผ๐ about ESC2โs real risks and limitations?
Let me know if youโve encountered this in the wild โ or if youโve mitigated it.
