Active Directory Certificate Services (ADCS)
Overview
Active Directory Certificate Services (ADCS) is a Windows Server role that provides public key infrastructure (PKI) functionality. This guide covers techniques for testing ADCS security.
Enumeration
1. Service Discovery
# Using PowerView
Get-ADObject -LDAPFilter "(objectClass=pKIEnrollmentService)" -Properties *
Get-ADObject -LDAPFilter "(objectClass=pKICertificateTemplate)" -Properties *
# Using Certify
Certify.exe find
Certify.exe find /vulnerable2. Certificate Template Enumeration
# Using PowerView
Get-ADObject -LDAPFilter "(objectClass=pKICertificateTemplate)" -Properties * | Select-Object Name, pkiPathLength, pkiPrivateKeyFlag, pkiEnrollmentFlag, pkiSubjectNameFlag
# Using Certify
Certify.exe find /template:*Authentication Testing
1. Certificate Request
2. Certificate Enrollment
Configuration Testing
1. CA Configuration
2. Template Configuration
Exploitation
1. ESC1 - Misconfigured Certificate Templates
2. ESC2 - Any Purpose EKU
3. ESC3 - Enrollment Agent
4. ESC4 - Access Control
5. ESC5 - Vulnerable PKI Object Access Control
6. ESC6 - EDITF_ATTRIBUTESUBJECTALTNAME2
7. ESC7 - Vulnerable Certificate Authority Access Control
8. ESC8 - NTLM Relay to AD CS HTTP Endpoints
Post-Exploitation
1. Certificate Theft
2. Certificate Abuse
BloodHound AD Integration
1. Data Collection
2. ADCS Analysis
3. Attack Path Analysis
4. Custom Queries
Tools
1. Primary Tools
Certify
Rubeus
PowerView
Certutil
Certreq
BloodHound
SharpHound
BloodHound Python
2. Additional Tools
PSPKIAudit
PKIAudit
Certipy
PKIHealth
CertSrv
Neo4j
Cypher
Best Practices
1. Testing Strategy
Start with non-intrusive techniques
Use multiple methods
Document findings
Test safely
Follow engagement scope
2. OPSEC Considerations
Use stealth techniques
Avoid detection
Monitor for alerts
Use legitimate tools
Follow engagement scope
Resources
Last Updated: 2025-03-23
Last updated
Was this helpful?