ESC5 is a serious vulnerability in Active Directory Certificate Services (ADCS) that allows attackers with local admin rights to extract the CA’s private key and forge valid certificates, leading to domain-wide privilege escalation. This attack leverages trust in the CA’s signing key, enabling stealthy lateral movement and domain compromise without needing passwords or hashes.
Affected: Active Directory Certificate Services, Domain Network Security Systems
Affected: Active Directory Certificate Services, Domain Network Security Systems
Keypoints
- ESC5 exploits insecure access to the CA’s private key in Active Directory Certificate Services, enabling certificate forgery.
- Attacker needs local admin rights on the CA server to extract the private key and forge certificates.
- Weak protections or misconfigurations in the PKI setup facilitate the success of the attack.
- The attacker can forge certificates for privileged users and authenticate via Kerberos PKINIT without passwords.
- Gaining initial access involves compromising local admin privileges and exporting the CA’s private key using tools like Certipy.
- The forged certificates allow lateral movement and privilege escalation, often reaching Domain Admin level.
- Mitigation includes removing unnecessary local admins, securing CA private keys, and monitoring certificate-related activities.
Read More: https://www.hackingarticles.in/ad-cs-esc5-vulnerable-pki-object-access-control/