Cert Publishers

The Cert Publishers group is a built-in AD group whose members are allowed to publish user certificates to AD objects. However, they do not have write access to certificate templates by default. Granting them such permissions is a misconfiguration that can lead to attacks like ESC4.

Privilege

Description

Write on userCertificate attribute

Cert Publishers can publish user certificates to user objects in AD by writing to the userCertificate attribute. This is their primary and default function.

Read on Certificate Templates

They can read certificate templates, but cannot write to or modify them by default.

Enroll (if assigned by a template)

They may have the right to enroll for certificates if the template explicitly allows it — not automatically granted by Cert Publishers membership.

If a member of this group is compromised, check for potential ESC vulnerabilties:

# Test for vulnerable templates
$ certipy find -u <user>@<domain> -p <pass> -stdout -vuln
...
    [!] Vulnerabilities
      ESC1  : '<domain>\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication
      ESC2  : '<domain>\\Domain Users' can enroll and template can be used for any purpose
      ESC3  : '<domain>\\Domain Users' can enroll and template has Certificate Request Agent EKU set
      ESC4  : User has dangerous permissions.
      ESC16 : Security Extension is disabled.

PreviousBackup Operators NextDnsAdmins

Last updated 8 months ago