Skip to main content

Assess whether ADCS is installed

A cheatsheet about assessing whether Active Directory Certificate Services (ADCS) is installed using Windows PowerShell commands to check for ADCS modules and groups, and Linux tools like Netexec and Certipy to identify ADCS presence and vulnerable templates.

Author: BobBuilder

Windows

  • Presence of module ADCS: 
    Get-WindowsFeature -Name ADCS-Cert-Authority -ErrorAction SilentlyContinue
  • Presence of built-in Cert Publishers group which authorizes Certificate Authorities to publish certificates: 
    net localgroup "Cert Publishers"
  • Explore the Public Key Services container structure: 
    CN=Public Key Services, CN=Services, CN=Configuration, DC={forest root domain}

Linux

  • Netexec to identify presence of ADCS: 
    netexec ldap 10.10.10.10 -u "user@lab.local" -p "Password1" -M adcs
  • Check vulnerable templates: 
    certipy find -vulnerable -u "user@lab.local" -p "Password1" -dc-ip 10.10.10.10 -stdout
Back to top