AD CS Attacks — From Kali
Quick Reference Table ESC Vulnerability Tool Requirement ESC1 SAN in template certipy req Enroll permission on template ESC2 Any Purpose EKU certipy req Enroll permission ESC3 Enrollment Agent certipy req Agent cert + second request ESC4 Template write access certipy template GenericWrite on template ESC6 EDITF_ATTRIBUTESUBJECTALTNAME2 on CA certipy req Any enroll permission ESC7 CA Manage Officer certipy ca Manage CA / Manage Certificates ESC8 NTLM relay to /certsrv/ certipy relay PetitPotam/coercion ESC9 No szOID_NTDS_CA_SECURITY_EXT certipy UPN mapping abuse ESC11 Relay to ICPR certipy relay -ca-pfx NTLM relay AD CS Fundamentals Active Directory Certificate Services (AD CS) is Microsoft’s PKI (Public Key Infrastructure) implementation. It issues X.509 certificates used for authentication, encryption, and signing within a Windows domain. ...