2026-06-24 –, Track 2
The Active Directory Certificate Service (ADCS) has been studied extensively, which lead to an entire category of privilege escalation techniques: the ESC attacks.
We combined known research about attacks on ADCS and the Windows Server Update Service (WSUS) to compromise Windows machines in supposedly "secure" environments.
As this technique can be generalized, we decided to introduce the new escalation number ESC17.
In this talk we will revisit both the currently known attacks on ADCS and on WSUS and combine them with a new twist.
Certificate templates are often misconfigured in ADCS environments and can lead to complete domain takeover, for example with the ESC1 technique.
In our experience, mitigations against ESC1 in particular often remain incomplete and can leave room for further attacks, some of which have not been publicly discussed so far.
For WSUS, we will give an overview over past attacks, which in theory exist since 2015. However, our impression is that these attacks are not a common part of security assessments.
In the following we combine the research on ADCS with the MitM attack on WSUS to gain command execution on Windows machines, which are configured in accordance with best practices.
During internal discussions, we realized that the underlying problem is not specific to WSUS at all, but rather rooted in ADCS and the trust relationships in Active Directory. This lead to the creation of a new ESC number, so this specific configuration of certificate templates can easily be identified and mitigated.
Alex is a Security Consultant at DigiTrace GmbH.
Since 2022 he regularly conducts penetration tests with a focus on internal infrastructure and Active Directory, while finishing his studies in the IT Security field.
With a passion for open source he maintains several open source projects, including NetExec, wsuks and EVENmonitor.
Phil is a Senior Security Consultant and head of the IT Security team at DigiTrace GmbH. He started his IT security studies in 2010 at Ruhr University Bochum and has been working full-time in this field since 2016.
His focus is on internal infrastructure penetration tests and security consulting, with the occasional IT forensics project in between.
While Phil is an avid user of open source technology, he soon realized that most company networks are built around Active Directory, making him realize that even a basement child cannot live without Windows.