ESCepcion

The only AD CS auditing framework that doesn't just find misconfigurations — it tells you which ones actually lead to domain compromise.

Built for security consultants, blue teams, and auditors who need evidence-grade reports, not just scanner output.

$ python main.py --domain corp.local \

  --user auditor --password **** --dc-ip 192.168.1.10

[*] Connecting to LDAP — corp.local...

[*] Enumerating Certificate Authorities...

[+] Found CA: CORP-CA on corp-dc01

[*] Scanning 47 certificate templates...

[!] ESC1 — "UserCert" vulnerable (SAN)

[!] ESC4 — "WebServer" writable ACL

[!] ESC8 — HTTP endpoint at /certsrv/

[+] Audit complete — 3 paths in 4.2s

_

ESC Coverage

ESCepcion detects every known escalation path. Each finding includes confidence level, blocking controls, and a deterministic exploitability assessment — not just a vulnerable flag.

ESC1
CRITICAL LDAP + ACL

Misconfigured Certificate Templates

Templates with Client Auth EKU allow arbitrary SAN + low-priv enrollment. ESCepcion validates effective enrollment rights using BFS nested group resolution — eliminating false positives from inherited permissions.

ESC2
CRITICAL LDAP + ACL

Any Purpose EKU Abuse

Templates carrying Any Purpose EKU or no EKU at all can authenticate as any domain user regardless of the requester's privilege level.

ESC3
HIGH LDAP + ACL

Enrollment Agent Abuse

Misconfigured enrollment agent templates allow requesting certificates on behalf of any domain user. ESCepcion validates the full two-template chain (Agent + Target) before reporting — avoiding false positives.

ESC4
HIGH LDAP + ACL

Template ACL Abuse

Writable ACLs on certificate templates allow low-priv users to introduce ESC1-style misconfigurations at will. ESCepcion resolves nested group membership up to depth 5 to identify indirect write access paths.

ESC5
HIGH LDAP + ACL

PKI Object ACL Abuse

Weak ACLs on CAs, NTAuthCertificates, AIA, CDP, and OID objects can compromise the entire PKI infrastructure. Reported once as a global infrastructure finding, not repeated per template.

ESC6
CRITICAL LDAP + DEEP SCAN

EDITF_ATTRIBUTESUBJECTALTNAME2

CA-level flag allows SAN in any cert request, bypassing all template restrictions. Reported as NEAR_MISS via LDAP heuristic; confirmed deterministically via MS-RRP registry read with --deep-scan.

ESC7
HIGH LDAP + ACL

Vulnerable CA ACL

ManageCA / ManageCertificates rights on the CA object enable arbitrary certificate issuance and template manipulation. ESCepcion checks both permissions independently with LOW_TRUST principal filtering.

ESC8
HIGH LDAP + HTTP

NTLM Relay to AD CS HTTP

HTTP enrollment endpoints allow NTLM relay attacks. ESCepcion includes active HTTP probing to confirm endpoint availability and NTLM challenge presence before reporting — no false positives on dead URLs.

ESC9
MEDIUM LDAP

No Security Extension

CT_FLAG_NO_SECURITY_EXTENSION prevents the CA from embedding the objectSID extension in issued certificates, enabling UPN-based impersonation. ESCepcion cross-validates GenericWrite availability before escalating severity.

ESC10
MEDIUM DEEP SCAN

Weak Certificate Mappings

Weak StrongCertificateBindingEnforcement or CertificateMappingMethods registry settings allow certificate-to-account impersonation. Confirmed via MS-RRP with --deep-scan; reported as NEAR_MISS otherwise.

ESC11
MEDIUM DEEP SCAN

Unencrypted RPC Interface

IF_ENFORCEENCRYPTICERTREQUEST disabled allows NTLM relay attacks directly over the RPC certificate enrollment interface — no web enrollment role required on the CA.

ESC12
HIGH DEEP SCAN

DCOM Shell Access to CA

ESCepcion attempts remote detection of YubiHSM AuthPassword exposure via MS-RRP registry read. Requires --deep-scan and remote registry access to the CA server host.

ESC13
HIGH LDAP

OID Group Link Abuse

Issuance policies linked to universal AD groups via msDS-OIDToGroupLink grant certificate holders covert group membership. ESCepcion validates group type (must be universal and empty) and privilege level before reporting — avoiding false positives.

ESC14
MEDIUM LDAP + ACL

Explicit Certificate Mapping

Weak permissions over altSecurityIdentities allow low-priv users to bind arbitrary certificates to privileged accounts. ESCepcion detects all four mapping scenarios: X509RFC822, IssuerSubject, SubjectOnly, and WriteProperty.

ESC15
HIGH LDAP

SchemaVersion 1 / EKUwu (CVE-2024-49019)

SchemaVersion 1 templates allow Application Policy injection in the CSR, silently overriding the template's EKU. Enables client authentication with any V1 template on unpatched CAs.

ESC16
HIGH DEEP SCAN

CA-Wide Security Extension Disabled

OID 1.3.6.1.4.1.311.25.2 in the CA's DisableExtensionList makes ALL templates behave like ESC9 simultaneously. Confirmed via MS-RRP registry read with --deep-scan. One of the most impactful CA-level misconfigurations.

Quick Start

01

Clone Repository

git clone https://github.com/Hackwarts12/ESCepcion.git
cd ESCepcion
pip install -r requirements.txt
02

Basic Audit

# Basic domain audit python main.py --domain corp.local --user auditor \ --dc-ip 192.168.1.10 --password 'P@ssw0rd'
03

Deep Scan

# Deep scan — confirms ESC6/10/11/12/16 via MS-RRP python main.py --domain corp.local --user auditor \ --dc-ip 192.168.1.10 --password 'P@ssw0rd' \ --deep-scan

Arcane Arsenal

🔮

Full AD CS Enumeration

Maps all Certificate Authorities, templates, ACLs, OID objects, and PKI infrastructure in a single LDAP session. Paginated queries handle enterprise environments with thousands of objects without truncation.

ESC1–ESC16 Detection

Complete coverage of all known ADCS privilege escalation vectors. Each finding includes confidence level, blocking controls, and a deterministic exploitability assessment — not just a vulnerable flag.

Flexible Authentication

NTLM password, Pass-the-Hash (LM:NT or :NT format), and integrated Windows authentication (SSPI). No credentials are stored in output files or reports.

Rich Grimoire Reports

Full HTML dashboard with posture score, attack chains, combo chain correlation, and per-finding remediation playbooks. JSON output ready for SIEM integration and diff-based remediation tracking.

🛡️

Remediation Spells

Each finding includes the exact certutil, PowerShell, or ADSI command to remediate — not generic advice. Prioritized by DDCC exploitability, not just severity.

DDCC — Deterministic Attack Paths

ESCepcion's proprietary engine builds in-memory attack graphs to determine if a low-trust user has a real path to domain compromise. Separates EXPLOITABLE findings from NEAR_MISS and POTENTIAL — the difference between a critical finding and noise.

🌐

Hybrid Environment Detection

Detects AD Connect presence, sync account credential risks, and Entra ID tenant exposure via LDAP-only queries. Flags when on-prem ADCS misconfigurations may cascade to Microsoft 365 and Azure cloud resources.

🔗

Combo Chain Correlation

Automatically correlates multiple ESC findings into named attack chains: Template Takeover (ESC4→ESC1), Certifried Hybrid (Certifried+ESC8), Sync Account Takeover (Shadow Credentials+MSOL), and more.

How It Works — The Ritual

1

Discovery

Connects via LDAP and locates all Certificate Authorities within the target domain or forest. Resolves SIDs and nested group membership up to depth 5 for accurate ACL analysis.

2

Enumeration

Maps every certificate template attribute, ACL entry, CA configuration flag, OID object, and PKI container. Paginated queries handle enterprise-scale environments without object limit truncation.

3

Analysis

Tests each ESC vector against collected data using validation logic derived from SpecterOps, Certipy, and original research. Each finding receives a confidence level and a list of blocking controls that currently prevent exploitation.

4

DDCC Engine

The Deterministic Domain Compromise Check builds an attack graph from all findings. It determines whether a low-trust user has a real step-by-step path to domain compromise and assigns an L1–L5 impact level to each path. NEAR_MISS findings — one prerequisite away from exploitation — are tracked separately from theoretical ones.

5

Reporting

Generates a structured HTML grimoire and JSON output with posture score (0–100), attack chains, combo correlations, per-finding remediation playbooks, and a coverage map showing which ESCs were evaluated and which require --deep-scan to confirm.

Learn more about the DDCC and L1–L5 Risk Model

Credits & Developer

Research Credits

Built upon groundbreaking research from the community:

  • Will Schroeder & Lee Christensen
    SpecterOps — "Certified Pre-Owned" (2021)
  • Oliver Lyak
    Certipy — ESC9, ESC10, ESC16
  • Jonas Bülow Knudsen
    ESC13, ESC14 (2024)
  • Justin Bollinger
    TrustedSec — ESC15 / EKUwu (2024)

Developed & Compiled by

Erick Maldonado — @Hackwarts12

RedSpears Labs — Devel Security, S.A.

Architecture, DDCC engine, L1–L5 risk model, hybrid environment analysis, and full implementation of the ESCepcion framework. Regional Offensive Security Consultant Manager.

Presented At

  • EkoParty BlueSpace 2026 2026 Buenos Aires, Argentina
  • Unknow Conference 2025 Lima, Peru

The Journey

From idea to framework — how ESCepcion evolved.

Oct 2024 Origins
Dec 2024 First Build
Feb 2025 Coverage
Apr 2025 Intelligence
Jun 2025 Deep Scan
Aug 2025 Hybrid
Oct 2025 Reporting
Jul 2026 Peru
Oct 2026 v1.0
Q3 2026 v1.1
Q4 2026 v1.2

The Idea

Started as an internal script to audit AD CS in client engagements at Devel Security. The goal: a tool that explains risk to non-technical stakeholders, not just dumps LDAP findings.

ESC1–ESC4 Core

First working version with ESC1, ESC2, ESC3, ESC4 detection via LDAP. Basic HTML output. Ran internally on the first real client engagement and surfaced ESC4 findings that were missed by other tools.

ESC5–ESC8 + Authentication

Added ESC5 through ESC8 coverage including active HTTP probing for ESC8. Implemented Pass-the-Hash and SSPI authentication. First version usable without a plaintext password.

DDCC Engine + L1–L5 Model

The Deterministic Domain Compromise Check was designed and implemented. For the first time, ESCepcion could tell the difference between a theoretical finding and a real path to domain compromise. The L1–L5 Identity Impact Taxonomy replaced CVSS scoring.

ESC10 / ESC12 / ESC14 + MS-RRP

Added --deep-scan mode with impacket MS-RRP integration. ESC10 reads StrongCertificateBindingEnforcement and CertificateMappingMethods directly from the DC registry. ESC12 attempts remote YubiHSM detection. ESC14 covers all four altSecurityIdentities scenarios.

Certifried + Shadow Credentials + Hybrid Detection

Added Certifried (CVE-2022-26923) as a standalone detection module. Shadow Credentials enumeration with LOW_TRUST filtering. Hybrid environment detector identifies AD Connect accounts, tenant exposure, and sync account credential risks via LDAP-only queries.

HTML Grimoire + BloodHound Export

Complete redesign of the HTML report. Posture Score 0–100, attack chain visualization, combo chain correlation, and per-finding remediation playbooks with exact certutil and PowerShell commands. BloodHound JSON v6 export added.

Unknow Conference 2026 — Lima, Peru

First presentation at Unknow Conference, Lima. Introduction to ESCepcion framework, DDCC engine demonstration, and L1–L5 risk model explanation for the Latin American security community.

Public Release — EkoParty BlueSpace 2026

Official public release presented at EkoParty BlueSpace, Buenos Aires. ESC1–ESC8 full logic, ESC10/12/14 via deep scan, Certifried, Shadow Credentials, Hybrid Detection, DDCC, L1–L5, Posture Score, Combo Chains, BloodHound export, HTML grimoire, JSON output.

Full ESC Coverage + Hardening

ESC9, ESC11, ESC13, ESC15, ESC16 with full detection logic and anti-false-positive validation. Global LDAP pagination for enterprise environments. Unified ESCResult schema with confidence levels, blocking controls, and evidence fields. Regression test suite with domain fixtures. LDAPS support (port 636).

Risk Engine Expansion

MITRE ATT&CK mapping per ESC finding. --diff mode for remediation tracking between scans. SARIF export for CI/CD pipeline integration. Remediation Priority Engine: what to fix first to break the maximum number of DDCC paths.