The ESC4 Active Directory Certificate Services vulnerability is a critical flaw that allows attackers to modify certificate templates with misconfigured permissions, enabling certificate theft and impersonation. Exploiting this weakness can lead to full domain compromise, emphasizing the need for strict permission controls and hardened configurations. (Affected: Active Directory Certificate Services)
Keypoints :
- The vulnerability arises from misconfigured access control entries (ACEs) on ADCS certificate templates, allowing unauthorized modifications.
- Attackers with Write or Full Control permissions can add Server Authentication EKU to templates, enabling impersonation of domain controllers and other trusted servers.
- Tools like Certipy and Metasploit facilitate enumeration, modification, and exploitation of vulnerable certificate templates.
- Adding Server Authentication EKU and allowing subject name supply enables impersonation of critical system entities like Domain Controllers.
- Attack flow includes identifying vulnerable templates, modifying configurations, requesting malicious certificates, and escalating privileges to domain admin level.
- EKU (Extended Key Usage) fields define certificate purpose; attacker-added Server Authentication EKU permits impersonation during secure communications.
- Mitigation strategies include restricting permissions, auditing template modifications, disabling unnecessary EKUs, and increasing CA access controls.
- Post-exploitation steps involve requesting malicious certificates, using them for Kerberos ticket theft, and lateral movement within the domain.
- Attacks like ESC4 can be mitigated by hardening certificate template permissions and monitoring for suspicious activity.
Read More: https://www.hackingarticles.in/adcs-esc4-vulnerable-certificate-template-access-control/
Views: 17