ESC2 works on the same core principal as ESC1, where a low privileged user or group has the ability to supply a subjectAltName (SAN) for any other user or machine in Active Directory. in ESC1 attacks the flags for the Extended Key Usage (EKU) need to contain "Client Authentication" to be valid. ESC2 by comparison is where the EKU is set to "Any Purpose" or is void of any usage specifications

The attack method for this follows much the same as ESC1 except there is a small variation in the "pre-requisites"

Tools Required

Requirements for attack path

  • ENROLLEE_SUPPLIES_SUBJECT flag in the certificate template

  • Enrolment rights granted to a user or group for which we have access to

  • EKU is set to "Any Purpose" or "null"

  • Manager approval not enabled

  • Authorized signature are not required



Invoke-Certify find /enrolleeSuppliesSubject /enabled


# Syntax
certipy find -u <User@Domain.local> -p <Password> -dc-ip <IP> -enabled -stdout

# Example
certipy find -u truth@security.local -p Password123! -dc-ip -enabled -stdout

Performing The Attack

Follow the attack process described below. The attack is the same for ESC1 after identifying a vulnerable certificate template.



  • Remove the ENROLEE_SUPPLIES_SUBJECT flag from the certificate template

  • Remove the "Any Purpose" EKU from the template, EKU's should be given specific use definitions

  • Ensure Manager approval is required on the certificate

  • Require authorized signatures

  • If possible, remove Enrollment rights for low privileges groups such as Domain users and Domain Computers

Last updated