Heavy Elements: The Attacks That Matter Most
These five vulnerabilities represent the most commonly exploited, highest-impact attack paths. If you only have time to check a few things, check these first.
ESC1 Attack Flow
"I'm admin"
admin cert
🔧 Fix (in order of priority):
1. Quick win: Remove enrollment rights from "Authenticated Users" or "Domain Users" on vulnerable templates. Takes 2 minutes, breaks nothing if template isn't widely used.
2. Proper fix: Uncheck "Supply in the request" on any template that allows login (has Client Authentication EKU). Use "Build from Active Directory" instead.
• Autoenrollment (GPO-based, automatic, most common)
• MMC Certificates snap-in (manual, for admins)
• certreq.exe (command line)
Web enrollment is typically only needed if: (1) non-domain-joined devices need certificates (e.g., printers, appliances, DMZ servers), or (2) you have a specific legacy application that requires it. Ask your PKI team if anyone actually uses the web interface before disabling it. If you disable it, ensure those devices have an alternative enrollment path.
ESC8 Attack Flow
to connect
/certsrv/
🔧 Fix (in order of priority):
1. Best option: Disable web enrollment entirely if no one uses it. IIS Manager → Stop the site, or uninstall the role.
2. If you need web enrollment: Enable HTTPS + Extended Protection for Authentication (EPA). Important: EPA requires HTTPS to be enabled first—enabling EPA without configuring SSL will silently break web enrollment.
3. Long-term: Disable NTLM entirely to the CA (requires Kerberos, won't work for non-domain machines).
Enabling EPA: Older browsers/clients may not support it. Test first. Some legacy enrollment tools may fail.
Disabling NTLM: Non-domain-joined machines can't authenticate via Kerberos, so they won't be able to use web enrollment at all.
ESC6 Attack Flow
to request
identity
certutil -config "CA-Server\CA-Name" -getreg policy\EditFlags
# If EDITF_ATTRIBUTESUBJECTALTNAME2 appears in output, disable it:
certutil -config "CA-Server\CA-Name" -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc && net start certsvc
🔧 Fix:
Just disable it. One command, restart CA service, done. There's almost never a legitimate reason to have this enabled.
ESC4 Attack Flow
template
ESC1
🔧 Fix:
Audit template ACLs. Only Enterprise Admins, Domain Admins, and CA administrators should have write access. Remove write permissions for Domain Computers, Authenticated Users, Domain Users, etc. Important: Check for inherited ACLs from parent containers—GenericWrite via inheritance is a common oversight.
ManageCA: Can change CA settings, including enabling ESC6. This is basically full control of the CA.
ManageCertificates: Can approve pending certificate requests. If a template requires manager approval, this bypasses it.
ESC7 Attack Flow (ManageCA)
ESC6 flag
ESC6
🔧 Fix:
Audit CA permissions: Open certsrv.msc → Right-click CA → Properties → Security tab. Only dedicated PKI administrators should have ManageCA. Document who has ManageCertificates and why.
Invoke-Locksmith -Scans ESC1,ESC4,ESC6,ESC7,ESC8 to check all five Heavy Elements at once.
Understanding AD CS
Why Certificate Attacks Are Devastating
Survives Password Reset
Certificates work independently of passwords. Default validity is 1+ years. Even after password change, the certificate still works.
Golden Certificates
If the CA's private key is stolen, attackers can forge certificates for any user. These can't be revoked because they were never issued.
Poor Visibility
Most organizations don't monitor certificate issuance. Attackers operate in a blind spot.
Everywhere & Misconfigured
AD CS is common in enterprises. From the Certified Pre-Owned whitepaper: "In nearly every network so far, AD privilege escalation was possible."
Other Template Attacks (ESC2-3, ESC9-10, ESC13, ESC15)
Beyond ESC1 (Heavy Elements), these template issues can also lead to escalation.
Templates with "Any Purpose" EKU (OID 2.5.29.37.0) can be used for any purpose including client authentication. Templates with no EKU (SubCA) can also be used for any purpose and could sign new certificates, though forged certs won't work for domain auth unless the SubCA is trusted by NTAuthCertificates.
Fix:
Don't grant enrollment rights to unprivileged users on Any Purpose or no-EKU templates. Review templates for SubCA configurations.
Enrollment agent certificates let you request certs on behalf of other users. Two-step attack: get agent cert, then request as anyone.
Fix:
Restrict enrollment agent templates. Configure Enrollment Agent Restrictions on the CA.
Template has the CT_FLAG_NO_SECURITY_EXTENSION flag (0x80000) set in msPKI-Enrollment-Flag, preventing the SID security extension from being embedded. Combined with GenericWrite on another user, allows impersonation via UPN manipulation. Discovered by Oliver Lyak.
Fix:
Remove CT_FLAG_NO_SECURITY_EXTENSION flag from templates. Set StrongCertificateBindingEnforcement = 2 on all DCs.
DC registry setting StrongCertificateBindingEnforcement = 0 or 1 allows weaker certificate mapping methods. Combined with GenericWrite on another user, enables impersonation. Discovered by Oliver Lyak.
Fix:
Set StrongCertificateBindingEnforcement = 2 on all DCs. Apply KB5014754. Note: Full enforcement becomes mandatory September 2025.
Exploits Authentication Mechanism Assurance (AMA) where issuance policies are linked to AD groups.
Fix:
Audit OID objects for msDS-OIDToGroupLink. Don't link policies to privileged groups.
Schema version 1 certificate templates allow requesters to inject Application Policy OIDs into the CSR. These are preferred over the template's configured EKUs. Discovered by Justin Bollinger at TrustedSec. Unlike ESC2 (explicit misconfiguration), ESC15 is a bug in how v1 templates process requests.
Fix:
Apply November 2024 patch (CVE-2024-49019). Alternatively, clone v1 templates to v2 (cloning automatically upgrades schema version and removes the vulnerability).
Other CA Attacks (ESC12, ESC16)
Shell access to a CA using YubiHSM may allow private key access. Requires CA compromise first.
Fix:
Treat CA servers as Tier 0. Restrict access. Consider network HSMs.
If CA's DisableExtensionList includes the SID extension OID, ALL certificates lack security binding. Every template becomes ESC9-vulnerable.
Fix:
Ensure 1.3.6.1.4.1.311.25.2 is NOT in DisableExtensionList.
ESC11: NTLM Relay to RPC
Like ESC8 but targets RPC instead of HTTP. Vulnerable when CA doesn't enforce RPC encryption.
certutil -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST
net stop certsvc && net start certsvc
Other ACL Attacks (ESC5, ESC14)
Other PKI objects can be targeted: CA computer object (RBCD), NTAuthCertificates (trust rogue CA), PKI containers.
Fix:
Audit ACLs on objects under CN=Public Key Services,CN=Services,CN=Configuration.
Write access to altSecurityIdentities allows configuring explicit certificate mapping for impersonation.
Fix:
Restrict write access. Monitor changes via Event ID 5136.
Complete ESC Reference
| ESC | Name | Category | Severity | Notes |
|---|---|---|---|---|
| ESC1 | Enrollee Supplies Subject | Template | CRITICAL | ☢ Heavy Element |
| ESC2 | Any Purpose / No EKU | Template | HIGH | |
| ESC3 | Enrollment Agent | Template | HIGH | |
| ESC4 | Template ACL Abuse | ACL | HIGH | ☢ Heavy Element |
| ESC5 | PKI Object ACLs | ACL | HIGH | |
| ESC6 | EDITF_ATTRIBUTESUBJECTALTNAME2 | CA | CRITICAL | ☢ Heavy Element (mitigated by KB5014754 alone, but dangerous with ESC9/16) |
| ESC7 | CA ACL Abuse | ACL | CRITICAL | ☢ Heavy Element |
| ESC8 | NTLM Relay to HTTP | Relay | CRITICAL | ☢ Heavy Element |
| ESC9 | No Security Extension | Template | MEDIUM | KB5014754 |
| ESC10 | Weak Cert Mapping | Registry | MEDIUM | DC setting |
| ESC11 | NTLM Relay to RPC | Relay | CRITICAL | CA flag |
| ESC12 | YubiHSM Access | CA | CRITICAL | Needs shell |
| ESC13 | OID Group Link | Template | MEDIUM | AMA |
| ESC14 | altSecurityIdentities | ACL | MEDIUM | |
| ESC15 | EKUwu | Template | HIGH | Patched |
| ESC16 | Security Ext Disabled | CA | CRITICAL |
Prioritized Mitigation Strategy
Fixes ordered by impact and ease of implementation. Start at the top.
🟢 Quick Wins (Do These Today)
Low risk, high impact, minimal testing required.
| Fix | Addresses | Risk | Time |
|---|---|---|---|
| Disable EDITF_ATTRIBUTESUBJECTALTNAME2 | ESC6 | Very Low | 5 min |
| Audit template ACLs, remove non-admin write | ESC4 | None | 30 min |
| Audit CA permissions (ManageCA/ManageCerts) | ESC7 | Low | 30 min |
| Enable IF_ENFORCEENCRYPTICERTREQUEST | ESC11 | Low | 5 min |
| Check DisableExtensionList for SID OID | ESC16 | None | 5 min |
Invoke-Locksmith -Scans ESC4,ESC6,ESC7,ESC11,ESC16 -Mode 1
🟡 Moderate Effort (This Week)
May need coordination or testing, but straightforward.
| Fix | Addresses | Risk | Notes |
|---|---|---|---|
| Remove "Supply in request" from auth templates | ESC1 | Low | Web server certs may need different enrollment method |
| Remove enrollment rights from default templates | ESC1, ESC15 | Low | Clone templates and grant enrollment on clones instead |
| Disable HTTP web enrollment OR enable EPA | ESC8 | Medium | Check if anyone actually uses /certsrv/ first |
| Apply November 2024 patch | ESC15 | Standard | Test in non-prod like any patch |
🔴 Long-Term Projects
Significant testing required, but important for defense in depth.
| Fix | Addresses | Risk | Notes |
|---|---|---|---|
| StrongCertificateBindingEnforcement = 2 | ESC9, ESC10, ESC16 | High | Test in Compatibility Mode first (value=1), monitor Event ID 39. ⚠️ Becomes mandatory September 9, 2025! |
| Disable NTLM to CA entirely | ESC8 | High | Requires Kerberos; breaks non-domain machines |
| Configure Enrollment Agent Restrictions | ESC3 | Medium | Configured per-CA (not per-template). Coordinate with smart card team. |
Detection & Incident Response
Events to Monitor (requires CA auditing enabled):
- 4886: Certificate request received
- 4887: Certificate approved and issued
- 39 (KDC): Certificate mapping failure (use for testing StrongCertificateBindingEnforcement)
- 5136: Directory object modified (altSecurityIdentities)