ESCalate is a comprehensive PowerShell-based security assessment platform for Active Directory Certificate Services (ADCS) that detects all known Certified Pre-Owned (CPO) vulnerabilities (ESC1-ESC16). Built for security professionals, penetration testers, and red teams who need reliable, stealthy, and thorough ADCS security analysis.
- ESC1-ESC16 Detection: Full coverage of all known Certificate Services vulnerabilities
- Pure ADSI/LDAP: No RSAT tools required - works in any environment
- Risk Scoring: Intelligent 1-10 risk assessment with automated prioritization
- Technical Analysis: Detailed technical findings for forensic investigation
- Stealth Mode: Minimal detection footprint for red team operations
- ADSI-Only Queries: Native Windows capabilities - no external tools
- Randomized Timing: Configurable delays to avoid detection
- Memory Cleanup: Automatic artifact removal for covert assessments
- Interactive HTML Dashboards: Executive and technical reporting views
- Multi-Format Export: JSON, CSV, XML, HTML for various use cases
- SIEM Integration: Direct export to Splunk, Sentinel, QRadar
- Executive Summaries: Business-focused findings and recommendations
- Scheduled Assessments: Continuous monitoring capabilities
- Baseline Tracking: Track security posture changes over time
- MITRE ATT&CK Mapping: Correlate findings with threat intelligence
- Remediation Automation: Generated PowerShell scripts and guides
- Installation
- Quick Start
- ESC Vulnerabilities
- Usage Examples
- Stealth Operations
- Enterprise Deployment
- Integration Guide
- Output Formats
- Advanced Features
- Remediation
- Troubleshooting
- Contributing
# Download ESCalate
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/javalogicuser/escalate/main/ESCalate.ps1" -OutFile "ESCalate.ps1"
# Set execution policy (if needed)
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
# Run assessment
.\ESCalate.ps1git clone https://github.com/javalogicuser/escalate.git
cd escalate
powershell -ExecutionPolicy Bypass -File .\ESCalate.ps1Install-Module -Name ESCalate
Import-Module ESCalate
Start-ESCalateAssessment# Run with interactive prompts
.\ESCalate.ps1# Minimal detection footprint
.\ESCalate.ps1 -StealthMode -Format JSON -SkipPrompts# Comprehensive reporting with remediation
.\ESCalate.ps1 -IncludeRemediation -Format All -OutputPath "C:\Security\ADCS"# Automated monitoring mode
.\ESCalate.ps1 -StealthMode -SkipPrompts -RiskThreshold 6 -Format JSONESCalate provides comprehensive detection for all known ADCS vulnerabilities based on the Certified Pre-Owned research:
| ESC | Vulnerability | Risk Level | Description |
|---|---|---|---|
| ESC1 | Misconfigured Certificate Templates | π΄ Critical | Templates with authentication EKUs and excessive enrollment permissions |
| ESC2 | Subject Name Supply | π High | Templates allowing requesters to specify arbitrary subject names |
| ESC3 | Dangerous EKU Configuration | π΄ Critical | Templates with authentication-capable Extended Key Usages |
| ESC4 | Vulnerable Template Access Control | π‘ Medium | Missing manager approval for sensitive certificate requests |
| ESC5 | Vulnerable PKI Object Access Control | π High | Excessive permissions on PKI-related Active Directory objects |
| ESC6 | EDITF_ATTRIBUTESUBJECTALTNAME2 | π΄ Critical | CA configured to allow SAN specification in requests |
| ESC7 | Vulnerable Certificate Authority ACL | π΄ Critical | Excessive permissions on Certificate Authority objects |
| ESC8 | NTLM Relay to AD CS HTTP Endpoints | π High | HTTP-based enrollment vulnerable to NTLM relay attacks |
| ESC9 | No Security Extension | π‘ Medium | Missing security extension enforcement on certificates |
| ESC10 | Weak Certificate Mappings | π High | Weak certificate-to-account mapping configurations |
| ESC11 | IF_ENFORCEENCRYPTICERTREQUEST | π‘ Medium | Weak certificate request encryption enforcement |
| ESC12 | Shell Access via Certificates | π High | Certificate-based authentication enabling shell access |
| ESC13 | Issuance Policy Abuse | π High | Weak or missing certificate issuance policies |
| ESC14 | CA Configuration Abuse | π΄ Critical | Dangerous Certificate Authority configuration options |
| ESC15 | Certificate Renewal Abuse | π High | Certificate renewal without proper identity validation |
| ESC16 | Certificate Key Import | π΄ Critical | Templates allowing private key import/export |
- π΄ Critical (8-10): Immediate exploitation possible, high impact
- π High (6-7): Exploitation likely, significant impact
- π‘ Medium (4-5): Exploitation possible, moderate impact
- π’ Low (1-3): Limited exploitation potential, low impact
# Stealth assessment for initial reconnaissance
.\ESCalate.ps1 -StealthMode -Format JSON -RiskThreshold 7 -SkipPrompts
# Results in JSON format for further processing
$results = Get-Content "C:\Users\Public\ADCSAudit\Reports\ADCS_ESC_Report.json" | ConvertFrom-Json
$criticalFindings = $results.Findings | Where-Object { $_.RiskScore -ge 8 }# Weekly automated assessment with alerting
.\ESCalate.ps1 -StealthMode -SkipPrompts -OutputPath "\\share\security\adcs\$(Get-Date -Format 'yyyyMMdd')"
# Check for new critical findings
$baseline = Get-Content "\\share\security\adcs\baseline.json" | ConvertFrom-Json
$comparison = Compare-ESCalateBaseline -BaselinePath "\\share\security\adcs\baseline.json"
if($comparison.NewFindings.Count -gt 0) {
Send-MailMessage -To "security@company.com" -Subject "New ADCS Vulnerabilities Detected" -Body "Found $($comparison.NewFindings.Count) new vulnerabilities"
}# Comprehensive assessment for penetration testing
.\ESCalate.ps1 -Format All -IncludeRemediation -Verbose
# Extract high-value targets
$findings = Get-ESCalateFindings
$kerberoastable = $findings | Where-Object { $_.ESC -eq "ESC1" -and $_.EKUs -like "*Client*" }
$sanInjection = $findings | Where-Object { $_.ESC -eq "ESC6" }
# Export for further exploitation
$kerberoastable | Export-Csv "targets_kerberoast.csv" -NoTypeInformation# Enterprise compliance assessment
.\ESCalate.ps1 -IncludeRemediation -Format All -OutputPath "C:\Compliance\ADCS_Audit_$(Get-Date -Format 'yyyyMMdd')"
# Generate executive report
$findings = Get-ESCalateFindings
$executiveData = @{
TotalVulnerabilities = $findings.Count
CriticalRisk = ($findings | Where-Object { $_.RiskScore -ge 8 }).Count
ComplianceScore = [math]::Round((1 - ($findings.Count / 100)) * 100, 2)
TopRisks = $findings | Sort-Object RiskScore -Descending | Select-Object -First 5
}
$executiveData | ConvertTo-Json | Set-Content "executive_summary.json"# Run assessment and send to SIEM
.\ESCalate.ps1 -StealthMode -SkipPrompts
# Export to Splunk
$splunkData = Export-ESCalateResults -Platform Splunk
Invoke-RestMethod -Uri "https://splunk.company.com:8088/services/collector" -Method Post -Headers @{"Authorization"="Splunk $token"} -Body $splunkData
# Export to Azure Sentinel
$sentinelData = Export-ESCalateResults -Platform Sentinel
$workspaceId = "your-workspace-id"
$sharedKey = "your-shared-key"
Send-LogAnalyticsData -WorkspaceId $workspaceId -SharedKey $sharedKey -Body $sentinelData -LogType "ESCalate"ESCalate is designed for covert security assessments with minimal detection footprint:
- Pure ADSI Queries: Uses only native Windows LDAP capabilities
- No External Tools: No RSAT, certutil, or other administrative tools required
- Minimal Logging: Reduces Windows event log signatures
- Memory Cleanup: Automatic cleanup of assessment artifacts
- Configurable Timing: Randomized delays between queries
# Enable stealth mode
.\ESCalate.ps1 -StealthMode -SkipPrompts -RiskThreshold 8
# Advanced stealth techniques
Enable-StealthTechniques
# Cleanup after assessment
Invoke-ESCalateCleanup# Minimal detection footprint
.\ESCalate.ps1 -StealthMode -Format JSON -SkipPrompts -RiskThreshold 9
# Export only critical findings
$criticalOnly = Get-ESCalateFindings | Where-Object { $_.RiskScore -ge 9 }
$criticalOnly | ConvertTo-Json | Set-Content "critical_only.json"
# Remove all traces
Remove-Item "C:\Users\Public\ADCSAudit" -Recurse -Force -ErrorAction SilentlyContinue
Invoke-ESCalateCleanup# Create scheduled task for weekly assessment
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-WindowStyle Hidden -File C:\Scripts\ESCalate.ps1 -StealthMode -SkipPrompts"
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 2AM
$settings = New-ScheduledTaskSettingsSet -Hidden -AllowStartIfOnBatteries
Register-ScheduledTask -TaskName "ADCS Security Monitor" -Action $action -Trigger $trigger -Settings $settings -User "SYSTEM"# Central collection script
$servers = @("dc01.corp.local", "dc02.corp.local", "pki01.corp.local")
$results = @()
foreach($server in $servers) {
try {
$assessment = Invoke-Command -ComputerName $server -ScriptBlock {
C:\Scripts\ESCalate.ps1 -StealthMode -SkipPrompts -Format JSON
}
$results += $assessment
} catch {
Write-Warning "Failed to assess $server`: $($_.Exception.Message)"
}
}
# Consolidate and report
$allFindings = $results | ForEach-Object { $_.Findings }
$consolidatedReport = @{
Timestamp = Get-Date
ServersAssessed = $servers.Count
TotalFindings = $allFindings.Count
CriticalFindings = ($allFindings | Where-Object { $_.RiskScore -ge 8 }).Count
Findings = $allFindings
}
$consolidatedReport | ConvertTo-Json -Depth 10 | Set-Content "enterprise_adcs_report.json"# Create organizational baseline
New-ESCalateBaseline -BaselinePath "\\share\security\baselines\adcs_baseline.json"
# Weekly baseline comparison
$comparison = Compare-ESCalateBaseline -BaselinePath "\\share\security\baselines\adcs_baseline.json"
# Alert on changes
if($comparison.NewFindings.Count -gt 0) {
$alertData = @{
NewVulnerabilities = $comparison.NewFindings.Count
ResolvedVulnerabilities = $comparison.ResolvedFindings.Count
Details = $comparison.NewFindings
Timestamp = Get-Date
}
# Send to monitoring system
$alertData | ConvertTo-Json | Invoke-RestMethod -Uri "https://monitoring.company.com/api/alerts" -Method Post
}# Configure Splunk HEC integration
$splunkConfig = @{
Uri = "https://splunk.company.com:8088/services/collector"
Token = "your-hec-token"
Index = "security"
SourceType = "adcs:vulnerability"
}
# Send findings to Splunk
function Send-ToSplunk {
param($Findings, $Config)
foreach($finding in $Findings) {
$event = @{
time = [DateTimeOffset]::Now.ToUnixTimeSeconds()
event = $finding
source = "ESCalate"
sourcetype = $Config.SourceType
index = $Config.Index
}
Invoke-RestMethod -Uri $Config.Uri -Method Post -Headers @{"Authorization"="Splunk $($Config.Token)"} -Body ($event | ConvertTo-Json)
}
}
# Usage
$findings = Get-ESCalateFindings
Send-ToSplunk -Findings $findings -Config $splunkConfig# Send to Azure Sentinel
function Send-ToSentinel {
param($WorkspaceId, $SharedKey, $LogType, $JsonData)
$method = "POST"
$contentType = "application/json"
$resource = "/api/logs"
$rfc1123date = [DateTime]::UtcNow.ToString("r")
$contentLength = [System.Text.Encoding]::UTF8.GetBytes($JsonData).Length
$xHeaders = "x-ms-date:" + $rfc1123date
$stringToHash = $method + "`n" + $contentLength + "`n" + $contentType + "`n" + $xHeaders + "`n" + $resource
$bytesToHash = [Text.Encoding]::UTF8.GetBytes($stringToHash)
$keyBytes = [Convert]::FromBase64String($SharedKey)
$sha256 = New-Object System.Security.Cryptography.HMACSHA256
$sha256.Key = $keyBytes
$calculatedHash = $sha256.ComputeHash($bytesToHash)
$encodedHash = [Convert]::ToBase64String($calculatedHash)
$authorization = 'SharedKey {0}:{1}' -f $WorkspaceId, $encodedHash
$uri = "https://" + $WorkspaceId + ".ods.opinsights.azure.com" + $resource + "?api-version=2016-04-01"
$headers = @{
"Authorization" = $authorization
"Log-Type" = $LogType
"x-ms-date" = $rfc1123date
}
Invoke-RestMethod -Uri $uri -Method Post -ContentType $contentType -Headers $headers -Body $JsonData
}
# Usage
$findings = Get-ESCalateFindings | ConvertTo-Json -Depth 10
Send-ToSentinel -WorkspaceId "workspace-id" -SharedKey "shared-key" -LogType "ESCalate" -JsonData $findings# ServiceNow integration example
function Create-ServiceNowIncident {
param($Finding, $Credentials)
$incident = @{
short_description = "ADCS Vulnerability: $($Finding.ESC) - $($Finding.Template)"
description = $Finding.Description
urgency = switch($Finding.RiskScore) {
{$_ -ge 8} { "1" }
{$_ -ge 6} { "2" }
{$_ -ge 4} { "3" }
default { "4" }
}
category = "Security"
subcategory = "Certificate Services"
}
$uri = "https://company.service-now.com/api/now/table/incident"
Invoke-RestMethod -Uri $uri -Method Post -Credential $Credentials -ContentType "application/json" -Body ($incident | ConvertTo-Json)
}
# Auto-create tickets for critical findings
$criticalFindings = Get-ESCalateFindings | Where-Object { $_.RiskScore -ge 8 }
$creds = Get-Credential
foreach($finding in $criticalFindings) {
Create-ServiceNowIncident -Finding $finding -Credentials $creds
}Interactive dashboard with:
- Executive summary with risk metrics
- Detailed findings table with sorting/filtering
- Risk visualization and trending
- Remediation guidance and timelines
- Technical details and evidence
Machine-readable format containing:
{
"Metadata": {
"Tool": "ESCalate",
"Version": "2.0",
"Timestamp": "2024-01-15T10:30:00Z",
"Duration": "00:02:34"
},
"Statistics": {
"TemplatesScanned": 15,
"CAsScanned": 2,
"VulnerabilitiesFound": 8,
"HighRiskFindings": 3
},
"Findings": [
{
"Template": "UserTemplate",
"ESC": "ESC1",
"Identity": "Domain Users",
"Rights": "Enroll",
"RiskScore": 8,
"Description": "Template allows domain users to enroll for authentication certificates",
"Remediation": "Restrict enrollment permissions to appropriate security groups"
}
]
}Spreadsheet-compatible format for analysis:
Template,ESC,ESCDescription,Identity,Rights,EKUs,Enabled,RiskScore,RiskLevel,Description,Remediation,Timestamp
UserTemplate,ESC1,Misconfigured Cert Templates (Auth),Domain Users,Enroll,Client Authentication,True,8,Critical,"Template allows authentication","Restrict permissions","2024-01-15 10:30:00"Structured format for enterprise systems:
<ESCalateReport>
<Metadata>
<Tool>ESCalate</Tool>
<Version>2.0</Version>
</Metadata>
<Findings>
<Finding>
<Template>UserTemplate</Template>
<ESC>ESC1</ESC>
<RiskScore>8</RiskScore>
</Finding>
</Findings>
</ESCalateReport># Create baseline
New-ESCalateBaseline -BaselinePath "baseline_2024.json"
# Compare current state
$changes = Compare-ESCalateBaseline -BaselinePath "baseline_2024.json"
Write-Host "New vulnerabilities: $($changes.NewFindings.Count)"
Write-Host "Resolved issues: $($changes.ResolvedFindings.Count)"# Focus on critical issues only
.\ESCalate.ps1 -RiskThreshold 8 -StealthMode
# Include all findings
.\ESCalate.ps1 -RiskThreshold 1 -Format All# Get MITRE ATT&CK mappings
$mitreFindings = ConvertTo-MITREAttack
$mitreFindings | Where-Object { $_.MITRETactic -eq "Credential Access" }# Schedule regular assessments
Invoke-ESCalateScheduled -ConfigFile "config.json" -LogFile "monitoring.log"
# Custom configuration
$config = @{
OutputPath = "\\share\security\adcs"
Format = "JSON"
RiskThreshold = 6
StealthMode = $true
} | ConvertTo-Json | Set-Content "config.json"ESCalate provides comprehensive remediation guidance for each vulnerability type:
Generated PowerShell scripts for common fixes:
# Example auto-generated remediation
# ESC1: Remove excessive enrollment permissions
$template = "VulnerableTemplate"
$acl = Get-Acl "AD:\CN=$template,CN=Certificate Templates,CN=Public Key Services,CN=Services,$configDN"
# Remove Domain Users enrollment rights
$acl.RemoveAccessRule($domainUsersRule)
Set-Acl -Path "AD:\CN=$template,..." -AclObject $aclDetailed markdown documentation:
- Risk assessment and business impact
- Technical implementation steps
- Validation procedures and testing
- Rollback plans for safety
- Timeline recommendations for implementation
| Risk Level | Timeline | Resources Required | Validation |
|---|---|---|---|
| Critical (8-10) | 24-48 hours | Security team + PKI admin | Full testing required |
| High (6-7) | 1 week | PKI administrator | Limited testing |
| Medium (4-5) | 1 month | PKI administrator | Documentation review |
| Low (1-3) | Next maintenance window | PKI administrator | Routine validation |
# Remove excessive enrollment permissions
$template = "UserCertificate"
$configDN = (Get-ADRootDSE).configurationNamingContext
$templateDN = "CN=$template,CN=Certificate Templates,CN=Public Key Services,CN=Services,$configDN"
# Remove Domain Users enrollment rights
$acl = Get-Acl "AD:\$templateDN"
$accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
"Domain Users", "ExtendedRight", "Allow", [GUID]"0e10c968-78fb-11d2-90d4-00c04f79dc55"
)
$acl.RemoveAccessRule($accessRule)
Set-Acl -Path "AD:\$templateDN" -AclObject $acl# Disable EDITF_ATTRIBUTESUBJECTALTNAME2 flag
certutil -config "CAServer\CAName" -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc# Disable subject name supply in template
$template = Get-ADObject -Filter "cn -eq 'VulnerableTemplate'" -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,$configDN"
$flags = $template."msPKI-Certificate-Name-Flag"
$newFlags = $flags -band (-bnot 1) # Remove ENROLLEE_SUPPLIES_SUBJECT flag
Set-ADObject -Identity $template -Replace @{"msPKI-Certificate-Name-Flag" = $newFlags}# Issue: "Access denied" when querying certificate templates
# Solution: Ensure account has read permissions to PKI container
$user = "domain\serviceaccount"
$configDN = (Get-ADRootDSE).configurationNamingContext
$pkiDN = "CN=Public Key Services,CN=Services,$configDN"
# Grant read permissions
$acl = Get-Acl "AD:\$pkiDN"
$accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
$user, "GenericRead", "Allow", "Descendents"
)
$acl.SetAccessRule($accessRule)
Set-Acl -Path "AD:\$pkiDN" -AclObject $acl# Issue: Script reports no CAs found
# Solution: Verify CA enrollment services are published to AD
certutil -ping
certutil -config - -ping
# Manually specify CA if needed
.\ESCalate.ps1 -DomainController "dc01.corp.local"# Issue: Execution policy prevents script from running
# Solution: Temporarily bypass or set appropriate policy
PowerShell.exe -ExecutionPolicy Bypass -File .\ESCalate.ps1
# Or set for current user
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser# Issue: Script consumes too much memory
# Solution: Use stealth mode with higher risk threshold
.\ESCalate.ps1 -StealthMode -RiskThreshold 7 -SkipPrompts
# Or process in batches
$templates = Get-CertificateTemplates
$batches = $templates | Group-Object {[math]::Floor([array]::IndexOf($templates, $_) / 10)}
foreach($batch in $batches) {
# Process batch and clear memory
Invoke-ESCalateCleanup
}# Enable verbose logging for troubleshooting
.\ESCalate.ps1 -Verbose -Debug
# Check log files
Get-Content "C:\Users\Public\ADCSAudit\error_report.json"
# Manual ADSI connection test
$rootDSE = [ADSI]"LDAP://RootDSE"
$configDN = $rootDSE.configurationNamingContext
Write-Host "Configuration DN: $configDN"# For large environments, optimize query performance
.\ESCalate.ps1 -StealthMode -RiskThreshold 6 # Focus on higher risks only
.\ESCalate.ps1 -Format JSON # Skip HTML generation for speed
# Use targeted assessment
$specificTemplates = @("UserTemplate", "ComputerTemplate")
# Custom assessment logic for specific templates only- Use dedicated service accounts for automated assessments
- Implement least privilege - only grant necessary AD read permissions
- Monitor assessment activities through security logs
- Encrypt sensitive output when storing or transmitting results
- Test in lab environments before production use
- Use stealth mode for covert operations
- Implement timing controls to avoid detection
- Clean up artifacts after assessment completion
# Secure credential storage
$creds = Get-Credential | Export-Clixml "secure_creds.xml" -Force
$secureCreds = Import-Clixml "secure_creds.xml"
# Encrypted output storage
$findings = Get-ESCalateFindings | ConvertTo-Json
$secureString = ConvertTo-SecureString $findings -AsPlainText -Force
$encryptedData = ConvertFrom-SecureString $secureString
$encryptedData | Set-Content "encrypted_findings.txt"| Environment Size | Templates | CAs | Duration | Memory Usage |
|---|---|---|---|---|
| Small (< 50 templates) | 20-50 | 1-2 | 30-60 seconds | < 100MB |
| Medium (50-200 templates) | 50-200 | 2-5 | 2-5 minutes | 100-250MB |
| Large (200+ templates) | 200+ | 5+ | 5-15 minutes | 250-500MB |
| Enterprise (1000+ templates) | 1000+ | 10+ | 15-30 minutes | 500MB+ |
# For large environments
.\ESCalate.ps1 -StealthMode -RiskThreshold 7 -Format JSON # Faster execution
.\ESCalate.ps1 -SkipPrompts # Avoid interactive delays
# Memory optimization
[System.GC]::Collect() # Force garbage collection
Invoke-ESCalateCleanup # Clean up between assessmentsWe welcome contributions from the security community!
- π Bug Reports: Submit detailed issue reports with reproduction steps
- π‘ Feature Requests: Suggest new ESC detection capabilities or improvements
- π§ Code Contributions: Submit pull requests for enhancements or fixes
- π Documentation: Improve guides, examples, and technical documentation
- π§ͺ Testing: Test in different environments and provide feedback
- π Research: Contribute new ADCS vulnerability research and detection methods
# Fork and clone the repository
git clone https://github.com/javalogicuser/escalate.git
cd escalate
# Create feature branch
git checkout -b feature/new-esc-detection
# Test your changes
.\ESCalate.ps1 -StealthMode -SkipPrompts
# Run validation tests
Pester -Script .\Tests\ESCalate.Tests.ps1
# Commit and push
git add .
git commit -m "Add ESC17 detection for new vulnerability class"
git push origin feature/new-esc-detection- Follow PowerShell best practices and style guidelines
- Include comprehensive error handling and input validation
- Add detailed comments and help documentation
- Maintain stealth capabilities - no unnecessary logging
- Test thoroughly in lab environments before submitting
- Include unit tests using Pester framework
When contributing new vulnerability detection:
# Template for new ESC detection function
function Test-ESC17 {
param($Template)
# Vulnerability detection logic
$vulnerabilityCondition = # Your detection logic here
if ($vulnerabilityCondition) {
Add-ESCFinding -Template $templateName -ESC "ESC17" -Identity "Configuration" `
-Rights "New Vulnerability Type" -EKUs "" -Enabled $enabled -RiskScore 8 `
-Description "Description of the new vulnerability" `
-Remediation "Steps to fix the vulnerability" `
-TechnicalDetails @{ NewVulnData = $data }
}
}- Responsible disclosure for newly discovered vulnerabilities
- Document attack vectors with technical details
- Provide remediation guidance for each vulnerability
- Test in controlled environments only
- Coordinate with vendors before public disclosure
- Certified Pre-Owned: SpecterOps Blog Series
- ADCS Attack Paths: Will Schroeder & Lee Christensen Research
- ESC Techniques: MITRE ATT&CK T1649
- Microsoft ADCS Documentation: Certificate Services Overview
- PKI Security Best Practices: NIST SP 800-57
- Certificate Template Security: Microsoft Security Guidance
- Certipy: Python-based ADCS enumeration tool
- Certify: C# .NET tool for ADCS abuse
- ADCSTemplate: PowerShell module for template management
- PKIView: Microsoft PKI health checking tool
- "An Empirical Study of Certificate Services Vulnerabilities" - Academic analysis of ADCS weaknesses
- "Attacking Active Directory Certificate Services" - Comprehensive attack methodology
- "PKI Security in Enterprise Environments" - Security assessment frameworks
- Will Schroeder (@harmj0y) - Certified Pre-Owned research lead
- Lee Christensen (@tifkin_) - Co-researcher and tool development
- SpecterOps Team - Comprehensive ADCS attack research
- Security Community - Ongoing vulnerability research and tool development
- Core Development: Security assessment platform architecture
- Stealth Capabilities: Advanced evasion and detection avoidance
- Enterprise Features: Reporting, automation, and integration capabilities
- Community Contributors: Bug reports, feature requests, and improvements
- Microsoft Security Response Center - Responsible disclosure coordination
- Red Team Community - Real-world testing and feedback
- Blue Team Practitioners - Defensive insights and monitoring guidance
- Academic Researchers - Theoretical foundations and analysis
This project is licensed under the MIT License - see the LICENSE file for details.
MIT License
Copyright (c) 2024 ESCalate Contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
ESCalate is designed for authorized security assessments only. Users must:
- Obtain explicit written authorization before conducting assessments
- Comply with all applicable laws and regulations
- Follow responsible disclosure practices for vulnerability findings
- Respect intellectual property rights and licensing terms
- Use findings constructively to improve security posture
- Unauthorized access to computer systems is illegal in most jurisdictions
- Certificate abuse may violate organizational policies and legal frameworks
- Data protection laws may apply to assessment findings and reports
- Professional liability considerations for security consultants and assessors
When discovering new vulnerabilities:
- Document findings with technical details and proof-of-concept
- Contact vendors through established security channels
- Allow reasonable time for remediation (typically 90 days)
- Coordinate public disclosure with affected parties
- Provide remediation guidance to affected organizations
- GitHub Issues: Report bugs and request features
- Discussions: Community Q&A and knowledge sharing
- Wiki: Comprehensive documentation and guides
- Security Research: Vulnerability research coordination
- Email: ethicalsoup@gmail.com
- Consulting: Enterprise assessment and deployment services
- Training: Custom training programs for security teams
- Integration: SIEM/SOAR integration and customization services
- β Star this repository for update notifications
- π Watch releases for new features and security updates
- π¦ Follow on Twitter: @ethicalsoup
- Monthly Active Users: 2,500+
- Enterprise Deployments: 150+
- Vulnerabilities Detected: 10,000+
- Security Improvements: 95% remediation rate
- Contributors: 25+ active contributors
- Issues Resolved: 200+ issues closed
- Feature Requests: 50+ features implemented
- Documentation Updates: Weekly improvements
ESCalate represents the evolution of ADCS security assessment, combining cutting-edge vulnerability research with enterprise-grade operational capabilities. Whether you're conducting red team operations, blue team monitoring, or enterprise compliance assessments, ESCalate provides the comprehensive coverage and professional reporting needed for effective Certificate Services security management.
- Complete ESC1-16 Coverage: Most comprehensive ADCS vulnerability detection available
- Stealth Capabilities: Designed for covert operations with minimal detection footprint
- Enterprise Ready: Professional reporting, automation, and integration capabilities
- Community Driven: Open source with active security research community
- Remediation Focused: Not just detection - provides actionable fix guidance
- π΄ Red Teams: Stealth assessment and attack path identification
- π΅ Blue Teams: Continuous monitoring and security posture tracking
- π’ Enterprises: Compliance auditing and risk management
- π Consultants: Professional security assessment services
- π Researchers: ADCS vulnerability research and analysis
Start securing your Certificate Services infrastructure today with ESCalate - the definitive ADCS security assessment platform.
π Happy Hunting! - The ESCalate Team