Skip to main content
ESC16 is a misconfiguration in Active Directory Certificate Services (AD CS), which stems from insecure management of security features. Specifically, if the szOID_NTDS_CA_SECURITY_EXT (1.3.6.1.4.1.311.25.2) extension (the SID security extension) is on the list of disabled extensions for a certificate authority, the certificate authority will not include a SID security extension in any issued certificates.

Background

The configuration was first described in 2022 by Will Schroeder in this blogpost as a temporary workaround for the interaction between ESC7 and ESC6, but was later tagged ESC16 by Oliver Lyak.
This vulnerability is identical to that of ESC9 but covers all certificates issued by the certificate authority rather than just certificates issued from a specific template.

Detection

We can search for certificate authorities with these vulnerabilities using the enum-cas --filter-vulnerable command from Certify. For more information about the command and its parameters, please refer to the Command Overview page. 
Certify.exe enum-cas --hide-admins
For exploitation techniques related to ESC16, refer to the attack methods described in ESC9 and ESC6, as ESC16 enables these same attack vectors but affects all certificates issued by the CA.