What starting position does this attack require?

The first step is Low-priv principal w/ network reach (T1078) — a initial access primitive. Assumed environment: CA host has IF_NOREMOTEICERTREQUEST disabled and RPC interface accessible.

What is the final impact of this kill-chain?

The final step lands on PKINIT as DC$ (AD-UNPAC), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

ADCS ESC11 → certificate via RPC (no web enrollment)

When the CA's ICertPassage RPC interface allows NTLM without signing, relay any coerced auth directly to RPC and obtain a cert — bypasses HTTP-only mitigations.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Low-priv principal w/ network reach

T1078 · Valid Accounts

Lateral Movement

DC cert issued

T1550.003 · Pass the Ticket

Initial Access

Coerce DC$ via PetitPotam / DFSCoerce

AD-COERCE-DFSCOERCE · DFSCoerce (MS-DFSNM)

Credential Access

DCSync

T1003.006 · DCSync

Credential Access

ntlmrelayx --adcs to CA RPC

AD-ESC11 · ADCS ESC11 — RPC over IF_NOREMOTEICERTREQUEST

ntlmrelayx.py -t rpc://<ca> --adcs --template DomainController

Credential Access

PKINIT as DC$

AD-UNPAC · UnPAC-the-Hash

§ Context

Assumed environment: CA host has IF_NOREMOTEICERTREQUEST disabled and RPC interface accessible. Common when admins disable web enrollment thinking it patches ESC8.

§ Steps

01
Low-priv principal w/ network reachInitial Access
T1078— Valid Accounts
02
DC cert issuedLateral Movement
T1550.003— Pass the Ticket
03
Coerce DC$ via PetitPotam / DFSCoerceInitial Access
AD-COERCE-DFSCOERCE— DFSCoerce (MS-DFSNM)
04
DCSyncCredential Access
T1003.006— DCSync
05
ntlmrelayx --adcs to CA RPCCredential Access
AD-ESC11— ADCS ESC11 — RPC over IF_NOREMOTEICERTREQUEST
ntlmrelayx.py -t rpc://<ca> --adcs --template DomainController
06
PKINIT as DC$Credential Access
AD-UNPAC— UnPAC-the-Hash

§ References

T1078Valid Accounts
T1550.003Pass the Ticket
T1003.006DCSync

§ Frequently asked

What is the "ADCS ESC11 → certificate via RPC (no web enrollment)" attack path?: When the CA's ICertPassage RPC interface allows NTLM without signing, relay any coerced auth directly to RPC and obtain a cert — bypasses HTTP-only mitigations. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Low-priv principal w/ network reach (T1078) — a initial access primitive. Assumed environment: CA host has IF_NOREMOTEICERTREQUEST disabled and RPC interface accessible.
What is the final impact of this kill-chain?: The final step lands on PKINIT as DC$ (AD-UNPAC), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

ADCS ESC11 → certificate via RPC (no web enrollment)

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

mitm6 IPv6 SLAAC → NTLM relay → DA

Shadow Credentials → PKINIT → NT hash

PetitPotam + ADCS ESC8 → Domain Controller takeover

ADCS ESC1 → Domain Admin

Unconstrained delegation → Capture DC TGT → DCSync

Citrix Bleed → steal authenticated session → MFA bypass