Active Directory · Term

What is ESC5?

ESC5 is when the weakness is not a template but the Active Directory objects the certificate authority depends on, like the CA computer account or its configuration container. Control one and you control the PKI. Here is what ESC5 is and how to defend it.

Active Directory · TermAll services
TL;DR

ESC5 is an AD CS abuse where a low-privileged account has control over an AD object the PKI relies on rather than over a template: the CA’s computer account, the CA configuration containers under the Configuration partition, or related objects. Compromising one of these can let an attacker alter CA behaviour, reach the CA host, or enable other ESC paths. It is a reminder that certificate security depends on the access control of the objects around the CA, not just templates.

By John Dill, Red Team Lead, SecureLayer7Updated

What ESC5 is

A certificate authority does not stand alone. It depends on several Active Directory objects: the CA’s computer/host account, the CA objects in the Configuration partition (Enrollment Services, NTAuthCertificates, and so on), and the templates container.

ESC5 is when a low-privileged principal has dangerous control (write, owner, or full control) over one of those supporting objects. That control can be leveraged to take over the CA host, modify CA settings, or set up another ESC condition. The vulnerability is in the AD permissions surrounding the PKI, a wider blast radius than a single template.

The abuse and payload

ESC5 is less a single command and more a pivot: the attacker uses control of a PKI-adjacent object to reach the CA or enable another path.

  • Enumerate PKI object permissions: certipy find -u user@corp.local -p pass -dc-ip <ip> (reports CA and object security)
  • If the attacker controls the CA host computer account, they can pursue RBCD or host takeover, then issue or forge certificates directly.
  • If they control a configuration object, they may enable ESC6-style behaviour or add trusted certificates.

The specifics depend on which object is exposed.

How to defend

  • Audit ACLs on every PKI object, not just templates: the CA host account, Enrollment Services, NTAuthCertificates, and the certificate-templates container.
  • Treat the CA host as Tier 0 and protect its computer account like a Domain Controller.
  • Remove write or owner rights from non-administrative principals on these objects.
  • Run BloodHound to find paths to PKI objects and the CA host.

References

  1. [1]Microsoft: Active Directory Certificate Services(Microsoft)
  2. [2]MITRE ATT&CK Enterprise Matrix(MITRE)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.