Skip to main content
ESC5 is a misconfiguration in Active Directory Certificate Services (AD CS), which stems from overly permissive access controls on PKI-related domain objects. Specifically, if a principal has the privileges to control a PKI-related domain object, they can potentially compromise the object and elevate their privileges in the domain.
The severity of this vulnerability depends largely on the vulnerable object type.

Vulnerable Object Types

The following object types, if misconfigured, can comprise an ESC5 vulnerability:
  • The CA server’s computer domain object
  • The CA server’s RPC/DCOM server
  • Any descendant object in the PKI container (CN=Public Key Services,CN=Services,CN=Configuration,DC=CORP,DC=LOCAL)
    • The Certificate Templates container
    • The Certification Authorities container
    • The Enrollment Services container
    • The NTAuthCertificates object

Detection

While Certify does not facilitate abuse-functions for most of these cases, we can search for misconfigured access controls in PKI-related objects using the enum-pkiobjects command from Certify. For more information about the command and its parameters, please refer to the Command Overview page. 
Certify.exe enum-pkiobjects
The above output shows that the Domain Users group has full control over all descendants of the Certificate Templates container.