-
-
Notifications
You must be signed in to change notification settings - Fork 424
03 ‐ Resources
This page presents a curated selection of key resources related to AD CS security. The resources are organized into three main categories:
- Privilege Escalation Techniques (ESCs)
- Significant Changes & Developments
- Additional References
The focus is on original research, techniques, and notable developments that have defined major changes in AD CS security and exploitation methods. While many of the resources initially focus on offensive techniques, they often include corresponding hardening recommendations and mitigation strategies.
Two documentation-focused entries are also included in recognition of their exhaustive and ongoing efforts to document AD CS behavior, vulnerabilities, and security posture. These serve as foundational references for both attackers and defenders.
If you would like to suggest additions or updates to this list, please open an issue.
The following table outlines known Escalation Abuse Cases (ESCs) involving AD CS. It includes the original researchers, publication dates, and corresponding links. While some techniques may have been identified or discussed by others, credit is given to those who originally published and classified them as specific ESC techniques.
| ESC | Title | Author(s) | Date | Remarks | Link |
|---|---|---|---|---|---|
| ESC1 - ESC8 | Certified Pre-Owned | Will Schroeder, Lee Christensen | Jun 17, 2021 | Foundational work introducing ESC1 - ESC8 abuse techniques. | Blog post, Whitepaper |
| ESC9 & ESC10 | Certipy 4.0: ESC9 & ESC10, BloodHound GUI, New Auth Methods, and More | Oliver Lyak | Aug 4, 2022 | Link | |
| ESC11 | Relaying to AD CS over RPC | Sylvain Heiniger | Nov 16, 2022 | Link | |
| ESC12 | Shell Access to AD CS CA with YubiHSM | Hans-Joachim Knobloch | Oct 6, 2023 | Relevant only for Yubico YubiHSM2 for CA keys. Arguably not an ESC, but rather a vulnerability in Yubico YubiHSM2. | Link |
| ESC13 | AD CS ESC13 Abuse Technique | Jonas Bülow Knudsen | Feb 14, 2024 | Link | |
| ESC14 | AD CS ESC14 Abuse Technique | Jonas Bülow Knudsen | Feb 28, 2024 | Link | |
| ESC15 | EKUwu: Not Just Another AD CS ESC | Justin Bollinger | Nov 13, 2024 | Technique patched as CVE-2024-49019. | Link |
| ESC16 | Certipy Wiki | Oliver Lyak | May 13, 2025 | Link |
This section covers major updates, vulnerability disclosures, changes, and techniques related to AD CS exploitation that fall outside the defined ESC categories.
| Title | Author(s) | Date | Remarks | Link |
|---|---|---|---|---|
| Shadow Credentials: Abusing Key Trust Account Mapping for Account Takeover | Elad Shamir | Jun 17, 2021 | Details how attackers can abuse the msDS-KeyCredentialLink attribute for account takeover. |
Link |
| Certipy 2.0: BloodHound, New Escalations, Shadow Credentials, and More | Oliver Lyak | Feb 19, 2022 | Introduces simplifications to ESC7 exploitation and clarifies ESC2/ESC3 overlaps. | Link |
| Certifried: Active Directory Domain Privilege Escalation (CVE-2022-26923) | Oliver Lyak | May 10, 2022 | Explanation of CVE-2022-26923, its exploitation, and Microsoft's patch. The update introduced the SID extension and strong certificate mapping. | Link |
| KB5014754: Certificate-based Auth Changes on Domain Controllers | Microsoft | May 10, 2022 | KB introducing StrongCertificateBindingEnforcement and CertificateMappingMethods in response to CVE-2022-26923, with timelines and change details. | Link |
| Preview of SAN URI for Certificate Strong Mapping for KB5014754 | Microsoft | Apr 07, 2023 | Introduces the SAN URI with SID as an alternative to the SID extension. | Link |
| AD CS Attack Paths in BloodHound - Part 1 | Jonas Bülow Knudsen | Jan 24, 2024 | Introduces techniques for mapping AD CS attack paths in BloodHound. | Link |
| AD CS Attack Paths in BloodHound - Part 2 | Jonas Bülow Knudsen | May 1, 2024 | Continues exploration of visualizing attack paths in BloodHound. | Link |
| AD CS Attack Paths in BloodHound - Part 3 | Jonas Bülow Knudsen | Sep 11, 2024 | Final part of the series on AD CS attack path visualization. | Link |
These resources provide additional context and practical insights related to AD CS, often building on prior research or demonstrating exploitation scenarios.
| Title | Author(s) | Date | Remarks | Link |
|---|---|---|---|---|
| KB5005413: Mitigating NTLM Relay Attacks on AD CS | Microsoft | Jul 23, 2021 | Microsoft guidance on mitigating NTLM relay attacks on AD CS (ESC8). | Link |
| Certificate Mapping | Microsoft | Documentation | Documentation of Kerberos certificate mapping. | Link |
| Certificate Services (AD-CS) | The Hacker Recipes | Documentation | Exhaustive overview of AD CS and its vulnerabilities. | Link |
| Attacking AD CS ESC Vulnerabilities Using Metasploit | Rapid7 | Documentation | Overview of AD CS vulnerabilities and how to exploit them using Metasploit. | Link |
| Certificates and Pwnage and Patches, Oh My! | Will Schroeder, Lee Christensen | Nov 9, 2022 | Post-release clarifications and updates following the Certified Pre-Owned whitepaper. | Link |
| From DA to EA with ESC5 | Andy Robbins | May 16, 2023 | Describes escalation from Domain Admin to Enterprise Admin using ESC5. | Link |
If you find this project useful, consider sponsoring it on GitHub to support continued development.