Active Directory · Term

What is ESC7?

ESC7 is when a low-privileged user holds management rights on the certificate authority itself, like Manage CA or Manage Certificates. Those rights can be turned into a domain compromise. Here is what ESC7 is, the abuse, and how to restrict CA roles.

Active Directory · TermAll services
TL;DR

ESC7 is an AD CS abuse where a low-privileged account holds CA management rights: Manage CA (ManageCA) or Manage Certificates (ManageCertificates). With these, an attacker can enable the dangerous ESC6 SAN flag, approve their own pending certificate requests, or otherwise bend the CA to issue a privileged certificate. CA roles are powerful and often over-granted, which is why auditing who holds them is essential. Certipy can drive the abuse.

By John Dill, Red Team Lead, SecureLayer7Updated

What ESC7 is

A certificate authority has its own administrative roles, separate from template permissions:

  • Manage CA (ManageCA): full CA administration, including changing CA configuration flags.
  • Manage Certificates (ManageCertificates): approve or deny pending certificate requests.

ESC7 is when a low-privileged principal holds one of these. Manage CA lets the attacker enable the EDITF_ATTRIBUTESUBJECTALTNAME2 flag (creating ESC6) or add themselves as a certificate manager; Manage Certificates lets them approve a request they submitted that would otherwise need sign-off. Either way, CA administration becomes an escalation path.

The abuse and payload

Certipy can leverage CA rights directly. Common chains:

  • With Manage CA, enable the SAN flag (then exploit as ESC6): certipy ca -u user@corp.local -p pass -ca CORP-CA -enable-template ... / set the EditFlags
  • Add an officer / approve own request with Manage Certificates: certipy ca -ca CORP-CA -issue-request <id>
  • Then request a privileged certificate and authenticate.

The exact commands depend on which right is held. Shown for defensive awareness.

How to defend

  • Audit who holds Manage CA and Manage Certificates. They should belong to a small, trusted administrative set only.
  • Remove these rights from low-privileged or service accounts.
  • Require separation of duties so the same person cannot both submit and approve sensitive requests.
  • Monitor CA configuration changes (especially the SAN flag) and certificate approvals.
  • Enumerate with Certipy, which reports CA role holders.

References

  1. [1]Microsoft: Active Directory Certificate Services(Microsoft)
  2. [2]MITRE ATT&CK Enterprise Matrix(MITRE)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.