relaying-ntlm-for-adcs-esc8

Installation
SKILL.md

Relaying NTLM for ADCS ESC8

Legal Notice: This skill is for authorized penetration testing, red-team engagements, and educational purposes only. Coercing authentication and relaying credentials against systems you do not own or lack explicit written authorization to test is illegal. Operate strictly within a signed rules-of-engagement; ESC8 coercion can affect production domain controllers.

Overview

ESC8 is one of the Active Directory Certificate Services (AD CS) escalation paths catalogued by SpecterOps in "Certified Pre-Owned." It abuses the AD CS HTTP web-enrollment endpoint (/certsrv/), which by default supports NTLM authentication and, critically, does not enforce HTTPS channel binding or Extended Protection for Authentication (EPA). Because NTLM over HTTP on that endpoint is unprotected, an attacker can coerce a privileged machine account (typically a domain controller) into authenticating to an attacker-controlled host, then relay that NTLM authentication to the CA's web-enrollment page and request a certificate as the coerced machine.

When the relayed victim is a domain controller, the attacker obtains a certificate for the DC's machine account (DC01$). That certificate can then be used for Kerberos PKINIT to request a TGT as the DC, recover the DC's NT hash, and ultimately perform DCSync — a full domain compromise. This maps to MITRE ATT&CK T1557.001 (Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay), extended here to NTLM relay against an HTTP enrollment service.

The standard toolchain is Impacket's ntlmrelayx.py (the relay engine, with --adcs mode), a coercion tool (PetitPotam, Coercer, printerbug.py/dementor), and Certipy for enumeration and for turning the captured certificate into a TGT / NT hash.

When to Use

  • During an internal AD penetration test where AD CS with the HTTP Web Enrollment role is present and EPA is not enforced.
  • When you have a foothold (even an unauthenticated network position with a coercion vector) and want a path to Domain Admin via certificate impersonation.
  • When validating that the organization has mitigated ESC8 (EPA enabled, HTTP enrollment disabled, RPC/EFSRPC coercion patched).
  • During purple-team exercises to test detection of coercion + relay + anomalous certificate enrollment.

Prerequisites

Installs
6
GitHub Stars
24.8K
First Seen
12 days ago
relaying-ntlm-for-adcs-esc8 — mukul975/anthropic-cybersecurity-skills