ESCepcion / Risk Model
ESCepcion Risk Model
Beyond CVSS — Understanding Real Domain Compromise Risk
Traditional scanners assign severity scores to vulnerabilities in isolation. ESCepcion measures risk by what an attacker can actually reach from a standard domain user account — and maps every finding to a real identity impact level.
The Problem with Isolated Scoring
CVSS scores a vulnerability in isolation. In Active Directory Certificate Services, isolation doesn't exist.
ESC4 on a template that nobody can enroll in carries near-zero real risk. ESC4 on a published template with Domain Users enrollment rights and a two-hop path to Domain Admin is critical.
Traditional scanners cannot tell the difference. ESCepcion can — and documents exactly why.
ESCepcion's risk model accounts for:
- → Is the template published in a CA?
- → Can a low-trust user actually enroll?
- → Is manager approval blocking exploitation?
- → Does this finding connect to a privileged identity?
- → What is the full step-by-step attack chain?
L1–L5 Identity Impact Taxonomy
Weak Authentication
The attacker obtains a valid certificate only for their own account. No privilege gain. No impersonation. Example: ESC9 detected but no GenericWrite available over any domain account.
Lateral Movement Enablement
The attacker obtains a certificate for another low-privilege account or machine account. Limited pivot capability, no direct admin path. Example: ESC1 where enrollment is restricted to specific non-admin service accounts.
Privileged Account Access
The attacker obtains a certificate for a service account, admin workstation account, or account with local admin rights on critical servers. Example: ESC4 path to a Tier 1 admin account.
Domain Admin Path
The attacker obtains a TGT or NT hash for a Domain Admin, Enterprise Admin, or Domain Controller account. Full on-premises domain compromise. Example: ESC1 + low-trust enrollment → cert as DA. Example: Certifried → DC impersonation → DCSync.
Authority Takeover
The attacker compromises the CA itself, gains the ability to forge arbitrary certificates, or achieves persistence that survives domain rebuilds. Example: ESC7 ManageCA → enable hidden template → forge cert → permanent backdoor. Example: ESC12 CA shell → export CA private key → forge any certificate indefinitely.
The DDCC Engine
Not all findings are equal. DDCC tells you which ones actually matter.
The DDCC is ESCepcion's proprietary attack graph engine. It takes all findings from a scan as input nodes, builds edges between findings that can be chained together, and evaluates whether a low-trust entry point has a real walk through the graph to an L4 or L5 impact node.
The engine outputs one of three verdicts:
COMPROMISABLE
At least one deterministic path from a low-trust user to L4/L5 impact exists. The path is fully documented with step-by-step commands and the exact ESC findings involved.
NEAR MISS
A path exists but is blocked by a single prerequisite: manager approval active, template not published, GenericWrite unavailable, or StrongBinding enforced. One configuration change away from COMPROMISABLE.
SAFE
No path from any low-trust entry point to L4/L5 impact was found given the current configuration. This does NOT mean the environment is secure — it means the current combination of findings does not chain to full compromise.
A domain with 15 ESC findings but no DDCC path is safer than a domain with 2 findings that chain directly to DCSync. DDCC is the metric that matters.
Confidence Levels
LDAP_ONLY
Detected using only LDAP attribute reads. Available without --deep-scan. False positive risk is low for most ESCs. Note: ESC9 and ESC10 cannot confirm StrongCertificateBindingEnforcement without registry access — StrongBinding is not readable as a low-priv user via LDAP.
LDAP_PLUS_ACL
Detected via LDAP + security descriptor parsing. Requires resolving ACEs and SIDs including nested group membership up to depth 5 via BFS.
LDAP_PLUS_REGISTRY
LDAP detects the condition; MS-RRP registry read confirms it. Requires --deep-scan and remote registry access to the CA or DC host.
REGISTRY_DEEP_SCAN
Detectable only via MS-RRP registry read. Available exclusively with --deep-scan. Applies to: ESC10, ESC11, ESC16.
Blocking Controls
Each finding includes the blocking controls currently preventing exploitation. A finding with blocking controls is NEAR_MISS or POTENTIAL — not SAFE. Removing any single blocking control may promote the finding to EXPLOITABLE.
NOT_PUBLISHED
Template exists in AD but is not listed in any CA's certificateTemplates attribute. Cannot be used to request certificates.
NO_LOWTRUST_ENROLL
No low-trust group (Domain Users, Authenticated Users, Everyone) has enrollment rights on the template.
MANAGER_APPROVAL
PEND_ALL_REQUESTS flag is active. All certificate requests require manual admin approval before issuance.
AUTH_SIGNATURES
Template requires authorized signatures from an enrollment agent before issuance.
STRONG_BINDING
StrongCertificateBindingEnforcement = 2 is confirmed on all DCs. Prevents ESC9/ESC10 exploitation.
NO_GENERICWRITE
No account has write permissions available for the attacker to modify UPN or DNS attributes. Required for ESC9 and ESC10 exploitation.
CA_PATCHED
CA server has the November 2024 patch for CVE-2024-49019 applied. Prevents ESC15 exploitation.
Posture Score
ESCepcion calculates a domain Posture Score from 0 to 100 based on the real exploitability of findings, not their count.
NOT_SCANNED findings do not count as safe. They represent unknown risk, not confirmed security. The score includes a small penalty for coverage gaps when --deep-scan was not used.