Active Directory - Certificate ESC6
ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2
If this flag is set on the CA, any request (including when the subject is built from Active Directory) can have user defined values in the subject alternative name.
Exploitation
-
Use Certify.exe to check for UserSpecifiedSAN flag state which refers to the
EDITF_ATTRIBUTESUBJECTALTNAME2
flag. -
Request a certificate for a template and add an altname, even though the default
User
template doesn't normally allow to specify alternative names
Mitigation
- Remove the flag:
certutil.exe -config "CA01.domain.local\CA01" -setreg "policy\EditFlags" -EDITF_ATTRIBUTESUBJECTALTNAME2