In this video, I show how to attack Active Directory Certificate Services. I will first show you how to use Certipy to attack ADCS with the ESC1 vulnerability in a certificate template. I will then show you how to use ADCSync (While mispronouncing the tool's name about 50 times) to sync credentials out of AD using ADCS certificates.

Reference Links
Certified Pre-Owned
https://posts.specterops.io/certified...

ADCSync
https://github.com/JPG0mez/ADCSync

Elastic Container Project
https://www.elastic.co/security-labs/...

Convert UTF8 files to ASCII
iconv -f UTF-8 -t ASCII//TRANSLIT input.txt -o output.txt

Chapters
00:00 Introduction and Explanation
01:45 Certipy ESC1
08:00 Sharphound/Updog
09:55 Unzip and convert the users.json
13:45 ADCSync
14:15 Catching ADCSync
14:52 Ensuring ADCS Logging is Enabled
17:02 SIEM Rule for Detection of ADCSync
19:54 NTLM Hash dumping
21:37 Outro