ESC10 Detection

[adervis3]

Add ESC10 (Weak Certificate Mapping) detection

Summary

Add detection for ESC10 (Weak Certificate Mapping), a missing vulnerability scenario in Certipy's find command. ESC10 exploits weak certificate-to-account mapping configurations on Domain Controllers and has two sub-scenarios:

• ESC10a: StrongCertificateBindingEnforcement = 0 on the DC (KDC service) — certificate binding enforcement is completely disabled
• ESC10b: CertificateMappingMethods contains the 0x4 flag (UPN mapping) — weak UPN-based certificate mapping is enabled

Both require a template that supports client authentication, enrollment rights, and no manager approval. A GenericWrite prerequisite over another account is also needed for exploitation.

Changes

Single file changed: certipy/commands/find.py

1. New method _get_dc_registry_config() — Connects to the DC's remote registry (RRP) and reads two registry keys:

   • HKLM\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement (default: 1)
   • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\CertificateMappingMethods (default: 0x18)
   • Uses the existing open_remote_registry() infrastructure (same pattern as ca.py)
   • Graceful fallback: registry key not found uses Windows default value; access denied reports as "Unknown"; --dc-only mode skips registry read entirely

2. Pipeline integration — _get_dc_registry_config() is called in find() between CA property processing and template property processing

3. ESC10a/ESC10b vulnerability checks — Added to get_template_vulnerabilities() after the existing ESC9 check:

   • ESC10a triggers when StrongCertificateBindingEnforcement == 0 and template allows client authentication
   • ESC10b triggers when CertificateMappingMethods & 0x4 and template allows client authentication
   • Both include a remark noting the GenericWrite prerequisite

4. Output: "Domain Controller Configuration" section — Added to get_output_for_text_and_json() before CA and Template sections, showing the DC host and both registry values. Appears in both text and JSON output formats. CSV output inherits ESC10 info through the existing [!] Vulnerabilities column in template CSVs.

5. Docstring updates — Module and method docstrings updated to reflect ESC10a/ESC10b coverage

No changes to

• ca.py, security.py, constants.py — no new rights or flags needed
• CLI arguments / parsers — no new parameters required; existing certipy find -vulnerable covers ESC10
• CSV output logic — ESC10 automatically appears in the template CSV [!] Vulnerabilities column

How I tested

If you want to see example output I can provide.

certipy find -u user@domain -p password -dc-ip <DC_IP> -vulnerable

Expected output when vulnerable:

• A new "Domain Controller Configuration" section showing StrongCertificateBindingEnforcement and CertificateMappingMethods values
• Templates with client authentication flagged as ESC10a/ESC10b under [!] Vulnerabilities
• Remarks noting the GenericWrite prerequisite

Test environment requirements:

• A DC with StrongCertificateBindingEnforcement = 0 (for ESC10a)
• A DC with CertificateMappingMethods containing 0x4 flag (for ESC10b)
• At least one enabled certificate template with client authentication EKU

Code quality

flake8 ./certipy && isort . && black . && pyright