AD CS Attacks — From Windows
Quick Reference ESC Vulnerability Tool Requirement ESC1 SAN in template Certify + Rubeus Enroll on template ESC2 Any Purpose EKU Certify + Rubeus Enroll on template ESC3 Enrollment Agent Certify x2 + Rubeus Agent cert + 2nd enroll ESC4 Template write access PowerView + Certify GenericWrite on template ESC6 EDITF_ATTRIBUTESUBJECTALTNAME2 Certify + Rubeus Any enroll ESC7 CA Officer / Manage Certify ca ManageCA or ManageCertificates ESC8 NTLM relay to certsrv ntlmrelayx (from Kali) Coercion + web enrollment AD CS Fundamentals Active Directory Certificate Services (AD CS) is Microsoft’s PKI implementation, used to issue digital certificates for authentication, encryption, and code signing within a Windows domain. It is high-value from an attacker’s perspective because: ...