Hacktricks Adcs ((exclusive)) May 2026

Introduction Active Directory Certificate Services (ADCS) is Microsoft’s PKI (Public Key Infrastructure) implementation. When integrated with Active Directory, ADCS enables certificate-based authentication, smart card logons, and encryption. However, misconfigurations in ADCS are notoriously common and can lead to domain compromise, privilege escalation, and persistence.

# Using PowerMad (Set-PKITemplate -Identity VulnTemplate -EnrolleeSuppliesSubject $true -AddEKUs @("Client Authentication")) Condition : CA is configured with EDITF_ATTRIBUTESUBJECTALTNAME2 flag. (Allows any requester to specify SAN.) hacktricks adcs

: Immediate domain admin access via Kerberos authentication. ESC2 – Certificate Template Allows Any EKU Condition : Template defines Any Purpose EKU (2.5.29.37.0) and allows low-priv enrollment. ADCS enables certificate-based authentication