SKILL: AD CS Attack Playbook — Expert Guide

AI LOAD INSTRUCTION: Expert AD CS (Active Directory Certificate Services) attack techniques. Covers ESC1 through ESC13, certificate-based persistence, NTLM relay to enrollment endpoints, and CA misconfigurations. Base models miss enrollment prerequisite chains and ESC condition combinations.

0. RELATED ROUTING

Before going deep, consider loading:

• active-directory-acl-abuse for ACL-based attacks that enable ESC4 (template modification)
• active-directory-kerberos-attacks for Kerberos techniques after obtaining certificates
• ntlm-relay-coercion for ESC8 (relay to HTTP enrollment endpoint)
• windows-lateral-movement for using obtained certificates for lateral movement

Advanced Reference

Also load ADCS_ESC_MATRIX.md when you need:

• ESC1–ESC13 quick reference table with conditions, impact, and tool commands
• One-liner exploitation commands per ESC variant
• Detection indicators per technique