Skip to main content

Abusing Active Directory Certificate Services

Introduction to ADCS

ADCS is made of these main components CA: Certification Authority, an entity that issues and man...

Assess whether ADCS is installed

Check if ADCS installed Windows Presence of module ADCS: Get-WindowsFeature -Name ADCS-Cert-Auth...

ESC1

For this technique to work we need a certificate template with the following requirements: ENRO...

ESC2

This privilege escalation technique requires the following: Any Purpose EKU which allows the att...

ESC3

Unlike ESC1 and ESC2, this method requires two certificate templates with the following requireme...

ESC4

You can create misconfigurations even in templates that are not initially vulnerable. For example...

ESC5

Vulnerable PKI Object Access Control where the objects have the following requirements: The AD ...

ESC6

Note: ESC6 got patch on May of 2022. ESC6 permits the inclusion of user-defined values in subject...

ESC7

Vulnerable Certificate Authority Access Control where 2 sets of permissions poses security risks:...

ESC8

Authentication coercion from a machine account where we relay the NTLM hash to AD CS to obtain a ...

ESC9

To exploit ESC9, ensure the StrongCertificateBindingEnforcement key is not set to 2 or includes t...

ESC10

Case 1 Reviewing registry keys as Administrator bob$ python3 reg.py minions.com/'Administrator':'...

ESC11

The vulnerability identified as ESC11 involves exploiting the modification of the IF_ENFORCEENCRY...

ESC12

ESC13

If a principal (user or computer) has enrollment rights on a certificate template configured with...

ESC14

If we are able to enroll certificates as someone else (user or computer), we can compromise a tar...

Ressources

SpecterOps https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf ESC13...
Back to top