Abusing Active Directory Certificate Services (Part 3)

This blog post demonstrates how an attacker with internal network access can abuse ADCS Web Enrollment and NTLM relay techniques to coerce a machine to authenticate to an attacker-controlled host, relay the authentication to a vulnerable Certificate Authority (with Web Enrollment enabled and Request Disposition set to Issue), obtain a certificate for the victim account, and use that certificate to impersonate the account (including potential domain controller impersonation). The article provides step-by-step examples using Certipy, Impacket, and coercion tools (Coercer/PetitPotam), troubleshooting notes, and mitigation guidance such as disabling ADCS HTTP endpoints, disabling NTLM, enforcing HTTPS/Extended Protection, and enabling signing/channel binding.