Encrypted Thoughts | Cybersecurity, Pentesting & Threat Intelligence

AD CS "Certified Pre-Owned" Cheatsheet Abusing Active Directory Certificate Services — Commands, Techniques & Defences Based on the whitepaper by Will Schroeder & Lee Christensen (SpecterOps) · v1.0.1 THEFT1–5 PERSIST1–3 ESC1–8 DPERSIST1–3 PREVENT1–8 DETECT1–7 Table of Contents Background & Key Concepts Authentication EKU OIDs Certificate Enrollment Methods AD CS Enumeration Certificate Theft (THEFT1–5) Account Persistence (PERSIST1–3) Domain Escalation (ESC1–8) Domain Persistence (DPERSIST1–3) Defensive Guidance (PREVENT & DETECT) Tool Reference 1. Background & Key Concepts Active Directory Certificate Services (AD CS) is Microsoft's PKI implementation that integrates with Active Directory forests. It provides encryption, digital signatures, and — critically — user and machine authentication to AD. Although not installed by d...

📑 Table of Contents Introduction Attack Overview & Visualization The 5-Phase Attack Flow Real-World Scenarios Complete Command Reference Advanced Attack Vectors Defensive Countermeasures Detection & Monitoring Incident Response Conclusion Introduction: Understanding the Threat Active Directory (AD) is the backbone of enterprise IT infrastructure, managing identities and access for millions of organizations worldwide. Within an AD forest, domains are linked by trust relationships that enable seamless resource sharing and user authentication across domain boundaries. While these trusts are essential for operational efficiency, they represent a significant attack surface when n...

In the world of Active Directory, trust relationships are the glue that holds a forest together. But what if that trust could be turned against itself? Welcome to one of the most devastating attack paths in modern cybersecurity: child-to-parent domain trust exploitation . This technique transforms a seemingly contained breach in a subsidiary domain into a forest-wide catastrophe, elevating an attacker from Domain Administrator to the almighty Enterprise Administrator in a matter of minutes. If you've ever wondered how a compromise in what appears to be a less critical child domain can lead to complete organizational takeover, you're about to discover the dark side of Active Directory's trust architecture. This guide will walk you through the mechanics, methodology, and implications of this powerful attack vector that every red teamer should master and every blue teamer should fear. Understanding the Trust Relationship: The Foundation of the Attack Active Directory for...