๐ย Secure Bitsย ๐ก
Letโs keep ๐๐ต๐ฒ ๐๐ฆ๐ ๐๐ฒ๐ฟ๐ถ๐ฒ๐ย going โ today weโre diving intoย ๐๐ฆ๐๐ฐ, a misconfiguration thatโsย easy to overlook, butย critical to lock down.
If you missed ESC1, ESC2 or ESC3 โ ๐๐ฐ๐ฟ๐ผ๐น๐น ๐ฏ๐ฎ๐ฐ๐ธ ๐ฎ๐ป๐ฑ ๐ฐ๐ต๐ฒ๐ฐ๐ธ ๐๐ต๐ฒ๐บ ๐ผ๐๐. Each one highlights how attackers abuse AD CS to escalate privileges in ways that bypass traditional defenses.
๐๐ฆ๐๐ฐ = Misconfigured Template ACLs
Think your certificate templates are locked down?
If youโre not auditing ACLs on your templates โ they might beย wide open.
๐ย ๐๐ฆ๐๐ฐ ๐ฎ๐น๐น๐ผ๐๐ ๐ฎ๐๐๐ฎ๐ฐ๐ธ๐ฒ๐ฟ๐ ๐๐ผ ๐ฒ๐ฑ๐ถ๐ ๐ฐ๐ฒ๐ฟ๐๐ถ๐ณ๐ถ๐ฐ๐ฎ๐๐ฒ ๐๐ฒ๐บ๐ฝ๐น๐ฎ๐๐ฒ๐, ๐ด๐ถ๐๐ถ๐ป๐ด ๐๐ต๐ฒ๐บ ๐ณ๐๐น๐น ๐ฐ๐ผ๐ป๐๐ฟ๐ผ๐น ๐๐ผ:
โช๏ธ Add dangerous EKUs (like Client Authentication or Certificate Request Agent)
โช๏ธ Enable SAN field enrollment
โช๏ธ Remove manager approval requirements
โช๏ธ Change issuance permissions to include themselves
๐ง๐ต๐ฒ ๐ฟ๐ฒ๐๐๐น๐?
โก๏ธ They turn a benign template into anย ๐๐ฆ๐๐ญ, ๐๐ฆ๐๐ฎ, ๐ผ๐ฟ ๐ฒ๐๐ฒ๐ป ๐๐ฆ๐๐ฏย path โ and issue certs that let themย impersonate Domain Admins.
๐๐ผ๐ ๐ฑ๐ผ๐ฒ๐ ๐๐ฆ๐๐ฐ ๐ต๐ฎ๐ฝ๐ฝ๐ฒ๐ป?
Simple: someone misconfigured ACLs on a certificate template. This means the wrong users or groups have:
โ
ย Writeย orย Full Controlย rights
โ
Ability to modify critical attributes (like EKUs, security settings, issuance policy)
๐ ๐๐ต๐ฒ๐ฐ๐ธ ๐๐ผ๐๐ฟ ๐๐ฒ๐ฟ๐๐ถ๐ณ๐ถ๐ฐ๐ฎ๐๐ฒ ๐ง๐ฒ๐บ๐ฝ๐น๐ฎ๐๐ฒ๐ manually through the console:
โช๏ธ Onlyย authorized PKI adminsย have write or full control.
โช๏ธ No unexpected groups (like Authenticated Users, Domain Users, etc.) have unnecessary elevated rights.
๐ข๐ฟ ๐๐ผ๐ ๐ฐ๐ฎ๐ป ๐๐๐ฒ ๐๐ผ๐ผ๐น๐ ๐น๐ถ๐ธ๐ฒ:
๐น ADProbe (my security auditing tool)
๐น Locksmith by Jake Hildreth
๐น Certipy
๐น …
๐ ๐๐ฆ๐๐ฐ doesnโt directly issue dangerous certificates. But it lets an attackerย modify templatesย toย createย ESC1, ESC2, or ESC3 conditions. That makes it a silent enabler โ and extremely dangerous.
๐ฌ Did you ever check the ACLs on your cert templates?
