Hacktricks Adcs |best| May 2026

: Immediate domain admin access via Kerberos authentication. ESC2 – Certificate Template Allows Any EKU Condition : Template defines Any Purpose EKU (2.5.29.37.0) and allows low-priv enrollment.

# Request a certificate for a domain admin (using Certify) Certify.exe request /ca:dc.contoso.local\CONTOSO-CA /template:UserSAN /altname:Administrator certipy auth -pfx administrator.pfx -domain contoso.local hacktricks adcs

: Relaying NTLM to CA endpoints (see ESC8). ESC11 – If the CA allows HTTP (instead of mandatory HTTPS) Same as ESC8. ESC12 – CA Holder Compromise (via AD CS Web Enrollment, no hardening) Allows remote attackers to capture NTLM hashes or relay authentication. ESC13 – Dangerous Certificate Template with Extra EKU that Enables Domain Controller Authentication Some templates include EKUs like “Domain Controller Authentication” (1.3.6.1.4.1.311.20.2.2) combined with low enrollment rights. : Immediate domain admin access via Kerberos authentication

Certify.exe request /ca:DC.CONTOSO.LOCAL\CONTOSO-CA /template:User /altname:Administrator Condition : ADCS web enrollment interfaces ( /certsrv/ , /CertSrv/ , /certsrv/mscep/ ) are enabled and not configured with extended protection or HTTPS. ESC11 – If the CA allows HTTP (instead

: Modify template to enable ESC1 conditions (e.g., allow SAN supply), then request as ESC1.

: Request any template with Client Authentication EKU and include SAN.

: Similar to ESC1, request a certificate for any user. ESC10 – Weak Authentication on CA Condition : CA’s authentication strength is set to low (e.g., Windows Integrated Auth without any additional protection).