Part 4: ESC4 Attack Explained | Privilege Escalation via Template ACL Misconfigurations

This is the fourth video in my Active Directory Certificate Services (ADCS) exploitation series, and in this episode we take a deep dive into ESC4 — a privilege escalation technique caused by misconfigured ACLs on certificate template objects.

ESC4 occurs when a low-privileged or regular user is granted write permissions over a certificate template in Active Directory. With these permissions, an attacker can modify the template configuration and make it vulnerable to other ADCS escalation paths such as ESC1, or ESC2.

In this demo, I walk through a vulnerable template (Vulnerable4) that appears safe at first glance. However, when we examine the Active Directory object backing the template, we see that Authenticated Users have Full Control access — meaning any user in the domain can alter the template. I show how to update the template to intentionally make it ESC1‑vulnerable, and then use Certipy to complete the attack chain.

We finish with practical mitigation and hardening guidance, including how to lock down template ACLs and restore secure configuration.

If you need an overview of how ADCS works or missed earlier escalation vectors, check out Part 1 of the series where I explain the fundamentals.

Видео Part 4: ESC4 Attack Explained | Privilege Escalation via Template ACL Misconfigurations канала ruatelo