ADCS ESC11 Explained | Relay to RPC скачать в хорошем качестве

ADCS ESC11 Explained | Relay to RPC

In this video, we take a look at ESC11, an attack that involves relaying NTLM authentication to the ADCS RPC endpoint. ESC11 is similar to ESC8, but instead of targeting the Web Enrollment (HTTP) endpoint, we relay authentication directly to the RPC interface on the Certificate Authority. The vulnerability exists when the CA’s RPC interface is not configured to enforce encryption. If the IF_ENFORCEENCRYPTICERTREQUEST flag is not set or explicitly disabled, it becomes possible to perform a man-in-the-middle attack, capture NTLM authentication, and relay it to the CA to request a certificate. As always, we’ll also cover mitigations and hardening steps to prevent this attack path. ⚠️ This video is for educational purposes only. All demonstrations are performed in controlled lab environments. Do not attempt these techniques on systems you do not own or have explicit permission to test.