GraphLattice
← All field notes
adcscertificate template ekufor administrators

ADCS ESC2: the certificate template that hands out admin access

A template with the Any Purpose EKU lets any low-privileged user enroll a certificate that authenticates as an admin. The cert is the credential, so you fix the template and revoke.

· GraphLattice · 2 min read

A certificate template defines who can enroll and what the certificate can do. When a template lets ordinary users enroll and carries the Any Purpose EKU, a standard user can mint a certificate that authenticates to Active Directory as a privileged account.

How the attack works

The vulnerable template is enrollable by a broad low-privileged group, carries the Any Purpose EKU or no EKU at all, and requires no manager approval. Because Any Purpose permits client authentication, a normal user submits an enrollment request and the certificate authority issues a certificate they can authenticate with. The user authenticates to a domain controller using the certificate and receives a Kerberos ticket for a privileged identity, gaining access they never legitimately held. The attacker re-enrolls more certificates for durability. In ATT&CK terms this is T1649, Steal or Forge Authentication Certificates, with T1078.002, valid domain accounts.

Why it works

An over-broad EKU plus low-privilege enrollment plus no approval combine into a privilege-escalation path open to everyone who can enroll. The issued certificate, not the user account, is the credential.

How to fix it

Disabling the one enroller does nothing, because the certificate they already hold stays valid. Fix the template: remove the Any Purpose or no-EKU configuration, restrict enrollment to least privilege, and require manager approval. Then revoke the certificates already issued from it. The non-obvious catch is that revocation only helps where it is actually checked, so verify the domain controllers enforce revocation, and plan to reissue or distrust affected chains if enforcement is incomplete. Unlike a forged certificate, these are in the certificate authority issuance log, which is your authoritative scoping source. Then audit the whole template fleet for the same misconfiguration.

Practice it

We built this as a GraphLattice Range scenario so administrators can rehearse the ESC2 detection and the fix-the-template-and-revoke containment.

More field notes

Browse all →

ADCS ESC14: a writable mapping that turns any cert into admin

An attacker writes an explicit certificate mapping onto a privileged account and, u…

ADCS ESC12: owning the CA host means re-keying, not reimaging

Shell access on the certificate authority host gives an attacker the signing-key co…

AdminSDHolder abuse: when your cleanup is reverted every hour

A rogue ACE on AdminSDHolder is re-stamped onto every privileged object hourly by S…