Index

1. ESC1 (Enterprise CA Security Configuration) Attack
2. todo
3. todo
4. ESC4 Enterprise CA Security Configuration with Key Escrow) Attacks

ESC1 (Enterprise CA Security Configuration) Attack

Abuse misconfigured certificate templates to allow unauthorized certificate requests that grant attackers higher privileges, facilitating lateral movement and persistence within the network.

Requirements

• Valid credential
• The Enterprise CA grants low-privileged users enrollment rights
• Manager approval is disabled
• Authorized signature not required
• Certificate templates are configured to define EKUs that facilitate authentication:
  • Client Authentication (OID 1.3.6.1.5.5.7.3.2)
  • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
  • Smart Card Logon (OID 1.3.6.1.4.1.311.20.2.2)
  • Any Purpose (OID 2.5.29.37.0)
  • No EKU (SubCA)
• Requester has the ability to specify subjectAltName (SAN) in the CSR

How to

Attacker as lowpriv user can specify a privileged user in the SAN field and request a certificate:

The certificate enables client authentication and the CA creates and signs a certificate using the attacker-supplied SAN. In this way the attacker can become any account in the domain!

Enumeration