ESC17: Using ADCS to Attack HTTPS-Enabled WSUS Clients

The Active Directory Certificate Service (ADCS) has been studied extensively, which lead to an entire category of privilege escalation techniques: the ESC attacks. We combined known research about attacks on ADCS and the Windows Server Update Service (WSUS) to compromise Windows machines in supposedly “secure” environments. As this technique can be generalized, we decided to introduce the new escalation number ESC17.

In this talk we will revisit both the currently known attacks on ADCS and on WSUS and combine them with a new twist.

Certificate templates are often misconfigured in ADCS environments and can lead to complete domain takeover, for example with the ESC1 technique. In our experience, mitigations against ESC1 in particular often remain incomplete and can leave room for further attacks, some of which have not been publicly discussed so far.

For WSUS, we will give an overview over past attacks, which in theory exist since 2015. However, our impression is that these attacks are not a common part of security assessments.

In the following we combine the research on ADCS with the MitM attack on WSUS to gain command execution on Windows machines, which are configured in accordance with best practices.

During internal discussions, we realized that the underlying problem is not specific to WSUS at all, but rather rooted in ADCS and the trust relationships in Active Directory. This lead to the creation of a new ESC number, so this specific configuration of certificate templates can easily be identified and mitigated.