Active Directory · Term

What is ESC6?

ESC6 is a single dangerous flag on the certificate authority that lets any requester add a subject alternative name to any certificate, effectively turning every template into ESC1. Here is what ESC6 is, the abuse, and the one setting to check.

Active Directory · TermAll services
TL;DR

ESC6 is an AD CS misconfiguration caused by the EDITF_ATTRIBUTESUBJECTALTNAME2 flag being set on the certificate authority. With this flag on, any requester can specify a Subject Alternative Name (SAN) in their request, regardless of the template. That means a low-privileged user can request a certificate and add administrator@corp.local as the SAN, then authenticate as that admin, turning essentially every authentication template into ESC1. The fix is one CA setting.

By John Dill, Red Team Lead, SecureLayer7Updated

What ESC6 is

A certificate’s Subject Alternative Name (SAN) is the identity it authenticates as. Normally only specific templates let the requester supply it. The CA-wide flag EDITF_ATTRIBUTESUBJECTALTNAME2, when enabled, lets any request specify the SAN, overriding template restrictions.

That single flag undermines the whole template model: it does not matter that your templates are locked down, because the CA will honour an attacker-supplied SAN on any of them. ESC6 is therefore a CA-level switch, not a per-template issue.

The abuse and payload

With the flag set, the attacker requests a certificate on any enrollable authentication template and adds a privileged SAN:

  • Check the flag and templates: certipy find -u user@corp.local -p pass -dc-ip <ip> (reports the CA flags)
  • Request with a SAN naming an admin: certipy req -u user@corp.local -p pass -ca CORP-CA -template User -upn administrator@corp.local
  • Authenticate as the admin: certipy auth -pfx administrator.pfx

Documented Certipy steps for defensive recognition.

How to defend

  • Disable EDITF_ATTRIBUTESUBJECTALTNAME2 on the CA: certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2 then restart the CA service.
  • Verify with Certipy that the flag is reported off.
  • Monitor certificate issuance for requests carrying an unexpected SAN, especially a privileged identity.
  • Recheck after CA changes, since the flag can be re-enabled by misguided configuration.

References

  1. [1]Microsoft: Active Directory Certificate Services(Microsoft)
  2. [2]MITRE ATT&CK Enterprise Matrix(MITRE)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.