ADCS ESC11 – Relaying NTLM to ICPR

ESC11 is a sophisticated attack targeting Active Directory Certificate Services (AD CS), exploiting vulnerabilities in RPC encryption enforcement and NTLM relay techniques. It enables attackers to escalate privileges within Active Directory by abusing certificate templates and relaying NTLM authentication. #ESC11 #ActiveDirectory #NTLMRelay #ADCS #Kerberos

Keypoints

ESC11 exploits vulnerabilities in RPC enforcement and NTLM relay to target Active Directory Certificate Services.
Enabling RPC encryption enforcement on CAs creates a new attack surface exploited by ESC11.
The attack chain involves relaying NTLM authentication to obtain certificates for Domain Controllers.
attackers can use stolen certificates to authenticate as Domain Controllers and escalate privileges.
Mitigation strategies include disabling vulnerable settings, restricting certificate template access, and monitoring RPC activity.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print