ESC2
Description
ESC2 works on the same core principal as ESC1, where a low privileged user or group has the ability to supply a subjectAltName (SAN) for any other user or machine in Active Directory. in ESC1 attacks the flags for the Extended Key Usage (EKU) need to contain "Client Authentication" to be valid. ESC2 by comparison is where the EKU is set to "Any Purpose" or is void of any usage specifications
The attack method for this follows much the same as ESC1 except there is a small variation in the "pre-requisites"
Tools Required
Certify
Rubeus
Access to a UNIX system if unable to install OpenSSL on the testing Windows host
Requirements for attack path
ENROLLEE_SUPPLIES_SUBJECT flag in the certificate template
Enrolment rights granted to a user or group for which we have access to
EKU is set to "Any Purpose" or "null"
Manager approval not enabled
Authorized signature are not required
Enumeration
Windows
Linux
Performing The Attack
Follow the attack process described below. The attack is the same for ESC1 after identifying a vulnerable certificate template.
Mitigations
Remove the ENROLEE_SUPPLIES_SUBJECT flag from the certificate template
Remove the "Any Purpose" EKU from the template, EKU's should be given specific use definitions
Ensure Manager approval is required on the certificate
Require authorized signatures
If possible, remove Enrollment rights for low privileges groups such as Domain users and Domain Computers
Last updated