# AD CS (Across Domain Trusts)

* AD CS helps in authenticating users and machines, encrypting and signing documents, file-system, emails and more.  
* "AD CS is the Server Role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization."
* **CA -** The certification authority that issues certificates. The server with AD CS role (DC or separate) is the CA. 
* **Certificate -** Issued to a user or machine and can be used for authentication, encryption, signing etc. 
* **CSR -** Certificate Signing Request made by a client to the CA to request a certificate.
* **Certificate Template -** Defines settings for a certificate. Contains information like - enrollment permissions, EKUs, expiry etc. 
* **EKU OIDs -** Extended Key Usages Object Identifiers. These dictate the use of a certificate template (Client authentication, Smart Card Logon, SubCA etc.)

<figure><img src="https://3740919960-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4Am0a4hPyOcUCfhPUAm9%2Fuploads%2FiBK96m9SfrfkxA6xMMIH%2Fimage.png?alt=media&#x26;token=7ac23a50-ca66-443e-bc8d-7e52a4672bc7" alt=""><figcaption></figcaption></figure>

### Ways of Abusing ADCS:

* Extract user and machine certificates
* Use certificates to retrieve NTLM hash&#x20;
* User and machine level persistence
* Escalation to Domain Admin and Enterprise Admin
* Domain persistence

**Enumerating AD CS using Certify**

* We can use the Certify tool (<https://github.com/GhostPack/Certify>) to enumerate (and for other attacks) AD CS in the target forest:

```
Certify.exe cas
```

* Enumerate the templates.:

```
Certify.exe find
```

* Enumerate vulnerable templates:

```
Certify.exe find /vulnerable
```