The ESC6 attack is a sophisticated privilege escalation technique exploiting misconfigurations in Active Directory Certificate Services (ADCS). It allows attackers to impersonate high-privilege users by issuing legitimate certificates, often bypassing detection. #ESC6 #ActiveDirectoryCertificateServices
Keypoints
- ESC6 exploits misconfigured certificate templates and CA settings to impersonate privileged accounts.
- The attack uses SAN injection and the EDITF_ATTRIBUTESUBJECTALTNAME2 flag to inject UPNs and other identities.
- Attackers can enroll certificates through open templates and use them for authenticating as Domain Admins.
- Mitigation involves disabling the flag, restricting enrollment rights, and monitoring suspicious certificate requests.
- Tools like Certipy and impacket-psexec are used for exploitation and post-exploitation lateral movement.
Read More: https://www.hackingarticles.in/esc6-editf_attributesubjectaltname2/