Understanding ESC15: A New Privilege Escalation Vulnerability in Active Directory Certificate Services (ADCS)
Active Directory Certificate Services (ADCS) play a critical role in managing and securing the digital identities of users and devices in enterprise environments. However, vulnerabilities in this system can lead to disastrous security breaches. On October 7, 2024, a new attack method targeting ADCS, dubbed ESC15, was discovered. This method allows unauthorized users to escalate privileges within an Active Directory (AD) environment by exploiting misconfigured certificate templates.
The ESC15 vulnerability is an enhancement of previously known techniques like ESC1 but bypasses many of the constraints set by older attack vectors. Notably, this attack method was added to Certipy, a popular tool in the offensive security community, thanks to contributions from dru1d-foofus and TrustedSec’s Justin Bollinger. In this blog post, we’ll dive into how ESC15 works, how to detect vulnerable environments, and the steps to mitigate the risk.
Introduction
What is ESC15?
ESC15 is an attack vector that exploits Certificate Templates with Schema Version 1 in ADCS. This method builds on ESC1, which allowed attackers to request certificates for privileged accounts. However, ESC15 bypasses even more security checks, making it a more dangerous variant.
Key Exploit Conditions for ESC15:
Certificate Template Schema Version is 1.
The Certificate Template allows arbitrary subjectAltName values in the Certificate Signing Request (CSR).
Enrollment Rights for non-privileged users
By exploiting these conditions, attackers can impersonate privileged users like Domain Admins and escalate their privileges within the domain.
Detailed Breakdown of ESC1 and ESC15
In the original ESC1 vulnerability, attackers could request a certificate for any user if:
The Certificate Template allowed users to supply the Subject in the CSR.
The template included at least one EKU (Enhanced Key Usage), such as Domain Authentication, allowing authentication in the domain.
ESC15 improves upon ESC1 by allowing attackers to exploit Schema Version 1 Certificate Templates even if they lack an EKU for Domain Authentication.
The GitHub Contribution to Certipy
On October 7, 2024, a GitHub user named dru1d-foofus submitted a Pull Request to the Certipy repository, automating the exploitation of ESC15. The Pull Request (PR #228) was built upon an earlier discovery by TrustedSec’s Justin Bollinger (@Bandrel). Thanks to these contributors, offensive security professionals now have the ability to automate the ESC15 exploitation process within the Certipy tool.