Active Directory · Term

What is ESC2?

ESC2 is an Active Directory Certificate Services misconfiguration where a template is so permissive that a low-privileged user can request a certificate usable for almost anything, including authenticating as another account. Here is what ESC2 is, the abuse it allows, and how to fix it.

Active Directory · TermAll services
TL;DR

ESC2 is an AD CS template misconfiguration where a low-privileged user can enrol in a template that defines "Any Purpose" (or no) Extended Key Usage. The issued certificate is not limited to one use, so it can be repurposed for client authentication to log in as the requester, or used in further abuse. Like ESC1 it turns a careless template into a path toward privilege, and Certipy finds and exploits it.

By John Dill, Red Team Lead, SecureLayer7Updated

What ESC2 is

AD CS templates carry an Extended Key Usage (EKU) that restricts what a certificate can do (sign email, authenticate, and so on). A template is vulnerable to ESC2 when it grants the "Any Purpose" EKU, or no EKU at all (a subordinate-CA style certificate), while still allowing low-privileged users to enrol without manager approval.

An any-purpose certificate is not constrained to one job, so an attacker can use it for client authentication and beyond. It is the close cousin of ESC1, differing in *why* the certificate is dangerous: ESC1 lets you name the subject, ESC2 hands you a certificate with no usage limits.

The abuse and payload

An attacker enumerates templates, finds the any-purpose one they can enrol in, requests a certificate, and uses it to authenticate or to sign further certificates.

  • Find it: certipy find -u user@corp.local -p pass -dc-ip <ip> -vulnerable
  • Request the certificate: certipy req -u user@corp.local -p pass -ca CORP-CA -template AnyPurposeTemplate
  • Authenticate with it: certipy auth -pfx user.pfx -dc-ip <ip>

These are documented Certipy steps shown so defenders recognise the pattern.

How to defend

  • Audit templates for the Any Purpose EKU (or empty EKU) combined with low-privileged enrolment. Certipy and PSPKIAudit flag them.
  • Set a specific, minimal EKU on every authentication template instead of Any Purpose.
  • Require manager approval on sensitive templates.
  • Restrict enrolment so broad groups cannot request these certificates.
  • Monitor issuance of any-purpose certificates as a high-severity event.

References

  1. [1]Microsoft: Active Directory Certificate Services(Microsoft)
  2. [2]MITRE ATT&CK Enterprise Matrix(MITRE)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.