AD-ESC11Credential Access

ADCS ESC11 — RPC over IF_NOREMOTEICERTREQUEST

Relay NTLM over RPC to ICertPassage (no signing), get a cert without web enrollment.

§ Where this technique fits

AD-ESC11 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

ADCS ESC11 → certificate via RPC (no web enrollment)
When the CA's ICertPassage RPC interface allows NTLM without signing, relay any coerced auth directly to RPC and obtain a cert — bypasses HTTP-only mitigations.
step 2 / 6

§ What commonly comes next

01
DFSCoerce (MS-DFSNM)
AD-COERCE-DFSCOERCE · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

ADCS ESC11 → certificate via RPC (no web enrollment)

§ What commonly comes next