ESC13 Privilege Escalation | ADCS Attack Series

Hey everyone, welcome back to the Active Directory Certificate Services (ADCS) attack series.
In this video, we cover ESC13, an attack that involves abusing enrollment permissions over a certificate template that has an OID Group Link configured.

First, we break down the theory.
An issuance policy adds additional conditions for issuing certificates. An OID Group Link connects that issuance policy to an Active Directory group. This means that anyone who authenticates using a certificate containing that issuance policy will be treated as a member of the linked AD group.

The vulnerability appears when enrollment permissions are misconfigured and the OID-linked group has high privileges, such as Enterprise Admins. In that scenario, an attacker can enroll in the template, obtain a certificate with the issuance policy, and effectively gain membership in that privileged group — potentially leading to full domain compromise.

As always, we’ll walk through how the attack works and discuss how to mitigate and properly secure these configurations.

🔗 SpecterOps Article:
https://specterops.io/blog/2024/02/14/adcs-esc13-abuse-technique/

⚠️ This video is for educational purposes only. All demonstrations are performed in controlled lab environments. Do not attempt these techniques on systems you do not own or have explicit permission to test.

Видео ESC13 Privilege Escalation | ADCS Attack Series канала ruatelo