Skip to main content
ESC8 is a misconfiguration in Active Directory Certificate Services (AD CS), which stems from insufficiently protected web enrollment services. Specifically, if a web enrollment service is not hosted over HTTPS with Channel Binding enforced, NTLM authentication attempts in the domain network can be relayed to the web enrollment service to request certificates for other domain principals.

Vulnerability Criteria

Either of the following criteria comprise an ESC8 vulnerability:
  • The Certification Authority Web Enrollment service is hosted over HTTP.
  • The Certification Authority Web Enrollment service is hosted over HTTPS without Channel Binding.
  • The Certificate Enrollment Service (CES) service is hosted over HTTPS without Channel Binding.
  • The Certificate Enrollment Policy (CEP) service is hosted over HTTPS without Channel Binding.
  • The Network Device Enrollment Service (NDES) server is hosted over HTTPS without Channel Binding.

Detection

While Certify does not facilitate abuse-functions for this vulnerability type, we can search for misconfigured Certification Authority Web Enrollment services using the enum-cas --filter-vulnerable command from Certify. For more information about the command and its parameters, please refer to the Command Overview page. 
Certify.exe enum-cas --filter-vulnerable --hide-admins

Exploitation

Once a vulnerable web enrollment service has been identified, the most common abuse scenario involves using Coercer or PetitPotam to coerce a domain controller to authenticate to an attacker-controlled host and then relay the authentication attempt to the AD CS web enrollment service using ntlmrelayx in order to request a certificate from the Domain Controller certificate template. The resulting certificate can be used to perform a replication attack (dcsync) against the domain.