ADCS Questions

Question 1

What is ESC1

Answer 1

A vulnerability where attackers exploit certificate templates allowing requesters to specify a SAN and enroll without approval, leading to domain admin impersonation.

Question 2

How does ESC1 enable privilege escalation?

Answer 2

By requesting a certificate with a SAN set to a privileged account (e.g., domain admin UPN) and using it for Kerberos authentication (PKINIT).

Question 3

What is ESC4?

Answer 3

Exploiting write permissions on certificate templates to modify them (e.g., enabling SAN, Client Authentication) and enroll as a privileged user.

Question 4

What permissions enable ESC4?

Answer 4

Write, WriteDacl, or Owner rights on a template, allowing attackers to reconfigure it maliciously.

Question 5

What is ESC8?

Answer 5

Relaying NTLM authentication to AD CS HTTP endpoints to enroll in certificates and impersonate victims (e.g., Domain Admins).

Question 6

SAN

Answer 6

Subject Alternative Name

Question 7

What is SAN?

Answer 7

A field in certificates that allows authentication for multiple identities (e.g., admin@domain.com). Exploited in ESC1/ESC4.

Question 8

EKU

Answer 8

Extended Key Usage

Question 9

What is EKU?

Answer 9

Defines a certificate’s purpose (e.g., Client Authentication for Kerberos). Enabling this in templates allows domain escalation.

Question 10

PKINIT

Answer 10

Kerberos extension using certificates (instead of passwords) for authentication. Used to exploit AD CS certificates.

Question 11

NTLM Relay

Answer 11

Forwarding captured NTLM authentication to another service (e.g., AD CS HTTP) to gain unauthorized access.

Question 12

WriteDacl

Answer 12

Permission to modify an object’s security settings (e.g., altering a certificate template’s ACL for ESC4).

Question 13

Certify

Answer 13

Tool to enumerate AD CS templates, request certificates, and exploit misconfigurations (ESC1/ESC4).

Question 14

ntlmrelayx

Answer 14

Relays NTLM authentication to services like AD CS HTTP endpoints (used in ESC8).

Question 15

BloodHound

Answer 15

Maps AD permissions to find vulnerable templates (e.g., WriteDacl for ESC4).

Question 16

SharpCerti

Answer 16

C# tool to request certificates and exploit AD CS vulnerabilities (alternative to Certify).

Question 17

How to mitigate ESC1?

Answer 17

Disable SAN editing in templates.

Require manager approval for enrollment.

Question 18

How to mitigate ESC4?

Answer 18

Restrict Write/WriteDacl permissions on templates.

Monitor template changes (Event ID 5136).

Question 19

How to mitigate ESC8?

Answer 19

Disable HTTP enrollment.

Enforce SMB signing/EPA.

Question 20

General AD CS hardening steps.

Answer 20

Audit template permissions.

Restrict Client Authentication EKUs.

Use LDAPS/SMB instead of HTTP.

Question 21

What is a UPN?

Answer 21

A UPN (User Principal Name) isa user’s login name formatted like an email address (e.g., john.doe@example.com) in a Microsoft Active Directory.It’s used for logging into domain resources.