Abusing Active Directory Certificate Services (Part 4)

This blog post explains how misconfigurations in Active Directory Certificate Services (ADCS) — specifically overly permissive enrollment rights and insecure Extended Key Usage settings — enable ESC2 and ESC3 escalation techniques. Using Certipy, an attacker with a low-privilege account can request certificates (including Any Purpose or Certificate Request Agent templates), generate PFX files, request certificates on behalf of privileged accounts, extract Kerberos TGTs and NT hashes, and achieve persistent domain admin access. The article includes examples, commands, detection (event IDs) and mitigation recommendations.