# AD CS (Across Domain Trusts)

* AD CS helps in authenticating users and machines, encrypting and signing documents, file-system, emails and more. &#x20;
* "AD CS is the Server Role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization."
* **CA -** The certification authority that issues certificates. The server with AD CS role (DC or separate) is the CA.&#x20;
* **Certificate -** Issued to a user or machine and can be used for authentication, encryption, signing etc.&#x20;
* **CSR -** Certificate Signing Request made by a client to the CA to request a certificate.
* **Certificate Template -** Defines settings for a certificate. Contains information like - enrollment permissions, EKUs, expiry etc.&#x20;
* **EKU OIDs -** Extended Key Usages Object Identifiers. These dictate the use of a certificate template (Client authentication, Smart Card Logon, SubCA etc.)

<figure><img src="/files/uWreeXtOTvlGMmtYPwKr" alt=""><figcaption></figcaption></figure>

### Ways of Abusing ADCS:

* Extract user and machine certificates
* Use certificates to retrieve NTLM hash&#x20;
* User and machine level persistence
* Escalation to Domain Admin and Enterprise Admin
* Domain persistence

**Enumerating AD CS using Certify**

* We can use the Certify tool (<https://github.com/GhostPack/Certify>) to enumerate (and for other attacks) AD CS in the target forest:

```
Certify.exe cas
```

* Enumerate the templates.:

```
Certify.exe find
```

* Enumerate vulnerable templates:

```
Certify.exe find /vulnerable
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/active-directory-pentest/domain-privilege-escalation/across-trusts/ad-cs-across-domain-trusts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.