ESC4 is an AD CS abuse where an attacker holds write permissions over a certificate template (for example GenericWrite, WriteDACL, or WriteOwner). Instead of finding a misconfigured template, they make one: edit a safe template to become ESC1-vulnerable, request a certificate as a Domain Admin, then revert the template to hide the change. It links ACL abuse and AD CS into one escalation, and Certipy can perform the whole sequence.
What ESC4 is
Every certificate template is an Active Directory object with its own permissions. ESC4 exists when a low-privileged account has write control over a template: GenericWrite, GenericAll, WriteDACL, or WriteOwner.
With that control the attacker does not need a pre-existing misconfiguration. They temporarily reconfigure the template to allow supply-subject-in-request and low-privileged enrolment, turning it into ESC1, exploit it, then restore the original settings. It is ACL abuse pointed at the certificate system.
The abuse and payload
Certipy can weaponise the write access, exploit, and roll back:
- Make the template vulnerable (and save the original):
certipy template -u user@corp.local -p pass -template VulnTemplate -save-old - Run the ESC1 flow:
certipy req -u user@corp.local -p pass -ca CORP-CA -template VulnTemplate -upn administrator@corp.local - Authenticate, then restore the template to its prior state.
The revert is what makes ESC4 quiet. Shown here for defensive awareness.
How to defend
- Audit template permissions. No low-privileged principal should have GenericWrite, WriteDACL, WriteOwner, or GenericAll over a certificate template.
- Tighten template ACLs to the minimum administrative set.
- Monitor for changes to template objects, since the modification is the real attack signal.
- Run BloodHound and Certipy together to find who can write which templates.
References
- [1]Microsoft: Active Directory Certificate Services(Microsoft)
- [2]MITRE ATT&CK Enterprise Matrix(MITRE)
- [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)