In part one of this blog series, we introduced Active Directory Certificate Services (AD CS) and how misconfigurations in certificate templates can allow an attacker to authenticate as any user in the domain, including domain admins. These common, yet often unseen, paths to privilege pose a significant threat with severe consequences for organizations —including the potential for full domain compromise—making them a prime target for threat actors.
In this blog, we are going the explore ESC4, the second escalation path in our AD CS Attack Series. ESC4 presents attackers with an additional path to privilege in AD CS by exploiting weak Access Control Entries in a certificate template. This builds on the introduction to AD CS and ESC1 misconfigurations covered in part one of this series, so make sure you start there.
Domain Escalation - ESC4
Requirements
To escalate via the ESC4 path, an attacker requires any of the rights or Access Control Entries (ACEs) specified in the table below to be included in the misconfigured certificate template. These allow an attacker to edit a certificate template and introduce the ESC1 misconfigurations previously shown.
Rights | Description |
---|---|
Owner | Implicit full control of object, all properties can be edited |
WriteOwner | Can modify the owner to an attacker-controlled principal |
WriteDacl | Can modify rights to grant attacker FullControl rights |
WriteProperty | Can edit all properties |
FullControl | Full control of object, all properties can be edited |
Exploiting ESC4 - Domain Escalation
To exploit ESC4, we need to have one of the rights to a certificate template object from the table above. Again, using the Certipy tool in our scenario, we will perform the 'find' command to identify any vulnerable ESC4 templates.
![](https://assets.beyondtrust.com/assets/documents/Finding-Vulnerable-ESC4-Templates.png)
Viewing the 'TestVulnerableCertifcate2' certificate template, we can see that it is vulnerable to ESC4, as shown in the screenshot below. The 'Write Property Principals' indicates that any user in the 'Domain Users' group meets one of the conditions in the section above, opening it up to exploitation by any valid Domain User.
![](https://assets.beyondtrust.com/assets/documents/ESC4-vulnerable-domain-users-1.png)
Leveraging the 'WriteProperty' right we have as a Domain User in the lab, we go ahead and exploit the rights we have on the misconfigured template by editing the template with the 'template' module from Certipy in order to make this template vulnerable to ESC1 attacks.
![](https://assets.beyondtrust.com/assets/documents/Editing-a-misconfigured-template_2024-06-24-132055_knfw.png)
We can see below, when running the recon command from Certipy, that the 'TestVulnerableCertificate2' template is now vulnerable to ESC1.
![](https://assets.beyondtrust.com/assets/documents/exploit-ESC1.png)
Now we go ahead and exploit ESC1 the same way we did in the previous section. We perform a request to the Certificate Authority and have the CA issue us a certificate to authenticate as the user we provide in the 'subjectAltName'. In the example below, we provided any compromised or created user to authenticate to the domain controller—the same way we did in our previous section.
![](https://assets.beyondtrust.com/assets/documents/compromised-user-being-added-during-authentication.png)
Similar to the example shown in our previous blog on ESC1 abused, we were able to obtain a certificate from the request above. We now use the PFX certificate to authenticate via LDAP into our lab environment, as seen in our screenshot below.
![](https://assets.beyondtrust.com/assets/documents/use-the-PFX-certificate-to-authenticate-via-LDAP.png)
Summary of ESC4
The ESC4 attack demonstrated above shows how a certificate template with a weak access control can lead to domain escalation by allowing users to edit the template and introduce malicious misconfigurations, such as ESC1. This allows an attacker the ability to pivot into other higher-privileged accounts for domain escalation, lateral movement, and persistence.
Detecting ESC4 Abuse
In part one, we discussed how to set up the relevant log sources that can be used to detect AD CS misconfigurations. While various log sources can be used to detect the ESC4 domain escalation path, we will mainly focus on Event ID 4899.
Event ID 4899 is triggered when an attribute is updated on a certificate template. However, there are two caveats behind this Event ID. To trigger it:
An attacker must also enroll/request the certificate of the modified template.
The account making the modification is not logged.
To enrich this event, we can monitor for Event ID 4899 followed by Event ID 4887. Event ID 4887 allows us to identify the requester, and if the attacker downgraded the template to ESC1, we can also identify the SAN related to the attack.
Below, we can see an example of Event ID 4899, where attributes were modified to make the template vulnerable to the ESC1 escalation path:
![](https://assets.beyondtrust.com/assets/documents/Example-of-template-vulnerable-to-the-ESC1-escalation-path.png)
Mitigating ESC4 Abuse
Remove Over-Permissive Template Rights
Like in ESC1, we can use the same tools to identify vulnerable templates. We can also use the ADSI Edit tool on the Domain Controller to verify if the 'Domain Users' group has ‘Write’ permissions to the 'VulnerableTemplate4' template:
![](https://assets.beyondtrust.com/assets/documents/identify-vulnerable-templates-and-verify-permissions.png)
If we want to mitigate the ESC4 escalation path, we remove the 'Write' privileges, which prevent Domain Users from being able to edit properties of the template:
![](https://assets.beyondtrust.com/assets/documents/Remove-Write-Privileges.png)
Below, we verify with Certipy that 'Write' permissions have been removed from the template, which now mitigates the ESC4 escalation path:
![](https://assets.beyondtrust.com/assets/documents/verify-and-mitigate-the-ESC4-escalation-path.png)
Detecting ESC4 Attacks and protecting Identities and Identity Infrastructure with Identity Security Insights from BeyondTrust
Built to uncover identity vulnerabilities and hidden paths to privilege, BeyondTrust Identity Security Insights builds on a history of Privileged Access Management (PAM) leadership with advanced security research to enable you to enhance your identity security posture and fortify your defenses against active identity threats.
The BeyondTrust research and detection engineering teams are continuously evolving Identity Security Insights’ capabilities in response to new threat techniques by dissecting various AD CS escalation paths and providing out-of-the-box detections and recommendations to mitigate these escalation paths.
To highlight how this works, we have included a demo of how Identity Security Insights provides detections and recommendations for ESC4 attacks:
This video highlights just a small part of the visibility, detections, and recommendations that Identity Security Insights offers its customers to help them defend against AD CS threats.
If you are interested in gaining holistic visibility and actionable insights into the identities, accounts, and privileges across your environment, visit beyondtrust.com/insights, or start our complimentary identity security assessment, including 30 days of threat monitoring, today.
The AD CS Threat Series
Don’t miss the next installment of the AD CS attack series to improve your Active DIrectory security and beyond. By reading the full series, you’ll learn how to defend all the paths to privilege within your domains and how to detect their active exploitation.
Other blogs in the series:
Coming soon: Tune into the Next Blog in the AD CS Threat Series
![Photograph of Raul Carmona](https://assets.beyondtrust.com/assets/images/user-photos/_people/Raul-Carmona-Headshot-2024.png?auto=format&q=80)
Raul Carmona, Staff Security Researcher
Raul is currently a Security Researcher at BeyondTrust with a focus on cloud providers, Active Directory, and macOS. Raul was previously a Red Team consultant for both CrowdStrike and Mandiant (Google Cloud) specializing in adversary simulation, internal penetration testing, and collaborative purple team exercises.
Research Team, BeyondTrust
Identity security threats are escalating at an alarming rate. Driven by the rapid evolution of technology, the increasing sophistication of malicious actors, and an ever-expanding attack surface, it is more important than ever that organizations adopt robust identity security measures that are capable of keeping pace ever-evolving attacks.
The BeyondTrust research and detection engineering teams believe the best way to fully understand cybersecurity threats is to work closely with our customers and partners, conducting real world research into the attacks that matter most to them. By dissecting emerging attack methods and exploitation techniques of threat actors as well as conducting novel research the teams mission is to help organizations defend against identity threats.