H3-2022-0020

Active Directory Certificate Services Misconfigured Template Access Controls

Category	SECURITY_MISCONFIGURATION
Base Score	7.5

Description

Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. Principals can request PKI Certificates based on collections of enrollment policies and predefined certificate settings known as Certificate Templates. ADCS Certificate Templates are securable objects in the AD. If the Access Control Entries allow unintended, or otherwise unprivileged, AD principals to edit sensitive security settings, the template could be used by an attacker for domain privilege escalation.

Impact

An unprivileged user with 'Write' or 'Full Control' ACE privileges could overwrite the template's security features - allowing for Domain Privilege Escalation (via ESC1) if other mitigating factors are not in place.

References

• Certified Pre-Owned: Abusing Active Directory Certificate Services
• SpectreOps - Certified Pre-Owned
• Certipy