🧠 What is AD CS ESC6?

ESC6 = Misconfigured CA with EDITF_ATTRIBUTESUBJECTALTNAME2 enabled

In simple words:

🧨 The Certificate Authority (CA) allows users to specify any Subject Alternative Name (SAN)

→ including another user’s UPN (like Administrator)

→ without template protection

🎯 No template modification needed

🎯 No object ownership needed

🎯 Only CA misconfiguration

🧩 The Core Misconfiguration:

The CA has this flag enabled:

EDITF_ATTRIBUTESUBJECTALTNAME2

🔴 This tells the CA:

“I trust whatever SAN the requester puts inside the request.”

⚠️ Even if the template does NOT allow SANs, the CA will still accept them.

👉 ESC6 is NOT about templates

👉 ESC6 is about the CA itself

Resources :

https://www.hackingarticles.in/esc6-editf_attributesubjectaltname2/

https://redfoxsec.com/blog/exploiting-active-directory-certificate-services-ad-cs/

https://www.vaadata.com/blog/ad-cs-security-understanding-and-exploiting-esc-techniques/#aioseo-esc6-hijacking-the-editf_attributesubjectaltname2-attribute