AD-ESC8Credential Access

ADCS ESC8 — HTTP Web Enrollment NTLM Relay

Relay NTLM auth to the CA's HTTP web-enrollment endpoint to obtain a cert as the coerced principal.

§ Where this technique fits

AD-ESC8 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 4 on average.

§ Dossiers chaining this technique

PetitPotam + ADCS ESC8 → Domain Controller takeover
Coerce a DC's machine account to authenticate to the attacker, relay that NTLM to the ADCS HTTP web-enrollment endpoint, and obtain a DC certificate for full domain compromise.
step 4 / 6

§ What commonly comes next

01
Pass the Ticket
T1550.003 · Lateral Movement
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

PetitPotam + ADCS ESC8 → Domain Controller takeover

§ What commonly comes next