Hacktricks Adcs: !exclusive!

: Immediate domain admin access via Kerberos authentication. ESC2 – Certificate Template Allows Any EKU Condition : Template defines Any Purpose EKU (2.5.29.37.0) and allows low-priv enrollment.

: Similar to ESC1, request a certificate for any user. ESC10 – Weak Authentication on CA Condition : CA’s authentication strength is set to low (e.g., Windows Integrated Auth without any additional protection). hacktricks adcs

# Using PowerMad (Set-PKITemplate -Identity VulnTemplate -EnrolleeSuppliesSubject $true -AddEKUs @("Client Authentication")) Condition : CA is configured with EDITF_ATTRIBUTESUBJECTALTNAME2 flag. (Allows any requester to specify SAN.) : Immediate domain admin access via Kerberos authentication

Introduction Active Directory Certificate Services (ADCS) is Microsoft’s PKI (Public Key Infrastructure) implementation. When integrated with Active Directory, ADCS enables certificate-based authentication, smart card logons, and encryption. However, misconfigurations in ADCS are notoriously common and can lead to domain compromise, privilege escalation, and persistence. ESC10 – Weak Authentication on CA Condition :

: Modify template to enable ESC1 conditions (e.g., allow SAN supply), then request as ESC1.

: Obtain a certificate for the relayed account (e.g., a computer account, domain admin). ESC9 – No Security Extension in Template Condition : Certificate template has CT_FLAG_NO_SECURITY_EXTENSION , which bypasses permissions on the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT .