ESC10 is a sophisticated attack technique exploiting weaknesses in Active Directory Certificate Services to impersonate any user, including Domain Admins, without passwords. It leverages weak certificate binding enforcement and shadow credentials, making it a dangerous threat for enterprise environments. #ESC10 #ActiveDirectoryCertificateServices
Keypoints
- ESC10 is an advanced post-exploitation technique that allows full domain compromise without requiring password knowledge.
- The attack exploits weak certificate mapping enforcement and shadow credentials via msDS-KeyCredentialLink.
- Attacker gains control of a low-privileged account, modifies UPN, and injects forged certificates to impersonate high-privilege users.
- Weak enforcement of certificate binding (StrongCertificateBindingEnforcement = 0) is a key vulnerability exploited by ESC10.
- Mitigation includes enforcing strict certificate binding, restricting write access, and monitoring certificate and UPN changes.
Read More: https://www.hackingarticles.in/adcs-esc10-weak-certificate-mapping/