This article discusses the AD CS ESC2 vulnerability, which allows low-privileged users to request certificates that can enable domain access without password knowledge, posing severe security risks.
Keypoints :
- ESC2 (Escalation Path 2) is a vulnerability in Active Directory Certificate Services permitting low-privileged users to request โAny Purposeโ certificates.
- This vulnerability allows users to authenticate without requiring knowledge of passwords, bypassing traditional security measures.
- The attack is facilitated by misconfigured certificate templates that include dangerous Extended Key Usages (EKUs).
- ESC2 impacts even the most secure password configurations and multi-factor authentication systems.
- Any domain-joined user can exploit ESC2 due to the lack of need for administrative privileges.
- Certificates requested can have long lifespans, providing persistent access without triggering alerts.
- ESC2 poses a compound threat when used alongside other attacks such as NTLM relay, leading to full domain takeover.
- Correctly understanding certificatesโ role in AD CS is vital as they serve as powerful authentication tokens.
- Standard detection tools may not identify ESC2 due to silent certificate issuance processes.
- Mitigations include hardening certificate templates, restricting enrollment permissions, and monitoring certificate activity.
Full Story: https://www.hackingarticles.in/ad-certificate-exploitation-esc2/