: Relaying NTLM to CA endpoints (see ESC8). ESC11 – If the CA allows HTTP (instead of mandatory HTTPS) Same as ESC8. ESC12 – CA Holder Compromise (via AD CS Web Enrollment, no hardening) Allows remote attackers to capture NTLM hashes or relay authentication. ESC13 – Dangerous Certificate Template with Extra EKU that Enables Domain Controller Authentication Some templates include EKUs like “Domain Controller Authentication” (1.3.6.1.4.1.311.20.2.2) combined with low enrollment rights.
# Request a certificate for a domain admin (using Certify) Certify.exe request /ca:dc.contoso.local\CONTOSO-CA /template:UserSAN /altname:Administrator certipy auth -pfx administrator.pfx -domain contoso.local
: Modify template to enable ESC1 conditions (e.g., allow SAN supply), then request as ESC1. hacktricks adcs
(using ntlmrelayx.py from Impacket):
: Immediate domain admin access via Kerberos authentication. ESC2 – Certificate Template Allows Any EKU Condition : Template defines Any Purpose EKU (2.5.29.37.0) and allows low-priv enrollment. : Relaying NTLM to CA endpoints (see ESC8)
: Obtain a certificate for the relayed account (e.g., a computer account, domain admin). ESC9 – No Security Extension in Template Condition : Certificate template has CT_FLAG_NO_SECURITY_EXTENSION , which bypasses permissions on the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT .
Certify.exe request /ca:DC.CONTOSO.LOCAL\CONTOSO-CA /template:User /altname:Administrator Condition : ADCS web enrollment interfaces ( /certsrv/ , /CertSrv/ , /certsrv/mscep/ ) are enabled and not configured with extended protection or HTTPS. ESC13 – Dangerous Certificate Template with Extra EKU
: Request any template with Client Authentication EKU and include SAN.