Pass-the-Certificate is a highly effective Kerberos privilege escalation method that bypasses traditional password-based authentication. Instead of relying on passwords or hashes, it uses X.509 certificates
The ESC16 vulnerability in AD CS allows attackers to bypass certificate validation and escalate privileges through misconfigured templates, UPN mapping, and shadow credentials. This can
The ESC15 vulnerability (EKUwu), affects Active Directory Certificate Services (AD CS), allowing attackers to inject unauthorized EKUs (e.g., Client Authentication) into Schema Version 1 templates.
ESC14 targets weak certificate mapping in Active Directory, exploiting the altSecurityIdentities attribute to allow attackers to spoof Subject CN or Issuer DN fields. This enables
ESC11 (Enterprise Security Control 11) represents a sophisticated attack path targeting Active Directory Certificate Services (AD CS), exploiting a dangerous combination of vulnerabilities. This advanced
ESC10 is a powerful post-exploitation technique in Active Directory Certificate Services (ADCS) that lets attackers authenticate as any user even Domain Admins without knowing their
Misconfigured certificate templates, particularly those affected by ESC9, pose a critical threat to Active Directory environments. By disabling the szOID_NTDS_CA_SECURITY_EXT security extension through the CT_FLAG_NO_SECURITY_EXTENSION
In this Certipy Active Directory Exploitation guide, we explore how to use Certipy—an offensive and defensive toolkit designed for Active Directory Certificate Services (AD CS)—to
ESC8 is a critical vulnerability in Active Directory Certificate Services (ADCS) that targets web enrollment interfaces, making them vulnerable to NTLM relay attacks. If HTTPS