# Cert Publishers

The `Cert Publishers` group is a built-in AD group whose members are allowed to publish user certificates to AD objects. However, **they do *****not***** have write access to certificate templates by default**. Granting them such permissions is a **misconfiguration** that can lead to attacks like [**ESC4**](https://x7331.gitbook.io/boxes/tl-dr/attacks/adcs#template-abuse-esc4).

<table><thead><tr><th width="219.00006103515625">Privilege</th><th>Description</th></tr></thead><tbody><tr><td>Write on <code>userCertificate</code> attribute</td><td>Cert Publishers can <strong>publish user certificates</strong> to user objects in AD by writing to the <code>userCertificate</code> attribute. This is their <strong>primary and default function</strong>.</td></tr><tr><td>Read on Certificate Templates</td><td>They can <strong>read</strong> certificate templates, but <strong>cannot write to or modify them</strong> by default.</td></tr><tr><td>Enroll <em>(if assigned by a template</em>)</td><td>They may have the <strong>right to enroll for certificates</strong> if the template explicitly allows it — not automatically granted by Cert Publishers membership.</td></tr></tbody></table>

If a member of this group is compromised, check for potential [ESC vulnerabilties](https://x7331.gitbook.io/boxes/tl-dr/attacks/adcs#esc-attacks):

{% code overflow="wrap" %}

```bash
# Test for vulnerable templates
$ certipy find -u <user>@<domain> -p <pass> -stdout -vuln
...
    [!] Vulnerabilities
      ESC1  : '<domain>\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication
      ESC2  : '<domain>\\Domain Users' can enroll and template can be used for any purpose
      ESC3  : '<domain>\\Domain Users' can enroll and template has Certificate Request Agent EKU set
      ESC4  : User has dangerous permissions.
      ESC16 : Security Extension is disabled.               
```

{% endcode %}