ESC2

Description

ESC2 works on the same core principal as ESC1, where a low privileged user or group has the ability to supply a subjectAltName (SAN) for any other user or machine in Active Directory. in ESC1 attacks the flags for the Extended Key Usage (EKU) need to contain "Client Authentication" to be valid. ESC2 by comparison is where the EKU is set to "Any Purpose" or is void of any usage specifications

The attack method for this follows much the same as ESC1 except there is a small variation in the "pre-requisites"

Requirements for attack path

ENROLLEE_SUPPLIES_SUBJECT flag present in the certificate template
Enrolment rights granted to a user or group for which we have access to
EKU is set to "Any Purpose" or nothing at all
Manager approval not enabled
Authorized signature are not required

If ENROLLEE_SUPPLIES_SUBJECT is NOT present and the following conditions are met

Enrolment rights granted to a user or group for which we have access to
EKU is set to "Any Purpose" or nothing at all
Manager approval not enabled
Authorized signature are not required

Then the template can be used as a certificate request agent in which this attack becomes ESC3. If this is the case, follow the guidance below to abuse ESC3.

Windows

Enumeration

.\Certify.exe find /vulnerable /enabled

Performing the attack

Depending on the certificate template configuration, we have two options as stated at the top of this document. If the intended attack path for ESC2 is viable, simply follow the attack steps for ESC1.

If the template is viable but does not have the ENROLLEE_SUPPLIES_SUBJECT flag set, then use it as the requesting agent in ESC3.

Linux

Enumeration

certipy find -u 'Moe@Security.local' -p 'Password123' -dc-ip 10.10.10.100 -vulnerable -stdout

Performing the attack

If the template is viable but does not have the ENROLLEE_SUPPLIES_SUBJECT flag set, then use it as the requesting agent in ESC3.

Mitigations

Remove the "Any Purpose" EKU from the template, EKU's should be given specific use definitions
Remove the ENROLLEE_SUPPLIES_SUBJECT flag from the certificate
Require manager aprovals on the certificate
Require authorized signatures
Remove weak enrollement permissions from the template

Last updated 2 months ago

Was this helpful?

ESC2

Description

The attack method for this follows much the same as ESC1 except there is a small variation in the "pre-requisites"

Requirements for attack path

ENROLLEE_SUPPLIES_SUBJECT flag present in the certificate template
Enrolment rights granted to a user or group for which we have access to
EKU is set to "Any Purpose" or nothing at all
Manager approval not enabled
Authorized signature are not required

If ENROLLEE_SUPPLIES_SUBJECT is NOT present and the following conditions are met

Enrolment rights granted to a user or group for which we have access to
EKU is set to "Any Purpose" or nothing at all
Manager approval not enabled
Authorized signature are not required

Then the template can be used as a certificate request agent in which this attack becomes ESC3. If this is the case, follow the guidance below to abuse ESC3.

ESC3

Windows

Enumeration

.\Certify.exe find /vulnerable /enabled

Performing the attack

ESC1

If the template is viable but does not have the ENROLLEE_SUPPLIES_SUBJECT flag set, then use it as the requesting agent in ESC3.

ESC3

Linux

Enumeration

certipy find -u 'Moe@Security.local' -p 'Password123' -dc-ip 10.10.10.100 -vulnerable -stdout

Performing the attack

ESC1

If the template is viable but does not have the ENROLLEE_SUPPLIES_SUBJECT flag set, then use it as the requesting agent in ESC3.

ESC3

Mitigations

Remove the "Any Purpose" EKU from the template, EKU's should be given specific use definitions
Remove the ENROLLEE_SUPPLIES_SUBJECT flag from the certificate
Require manager aprovals on the certificate
Require authorized signatures
Remove weak enrollement permissions from the template

Last updated 2 months ago

Was this helpful?