Basics

ADCS | PrivEsc to Domain Admin

ADCS + PetitPotam NTLM Relay: Obtaining krbtgt Hash with Domain Controller Machine Certificate | Red Team Noteswww.ired.team

From Stranger to DA // Using PetitPotam to NTLM relay to Domain Administrator - TrulysuperTruesec

tools

GitHub - grimlockx/ADCSKiller: An ADCS Exploitation Automation Tool Weaponizing Certipy and CoercerGitHub

Reconnaissance & Enumeration

This will search the certificate server, and dump all the information needed in three format :

• bloodhound : a zip ready to import in bloodhound (if you use certipy 4.0 you will have to install the bloodhound gui modified by oliver lyak, if you do not want to use the modified version, you must use the -old-bloodhound option)

• json : information json formated

• txt : a textual format

Find vulnerable templates :