redttps

Enumerate ADCS using Windows Registry

Description

Enumerate ADCS using Windows Registry means gathering information about Active Directory Certificate Services (ADCS) by inspecting relevant keys and values stored in the Windows Registry.


Steps

  1. Export HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\CertificateTemplateCache to a .reg file
  2. Exfiltrate the file and analyze it with certipy
    3. certipy parse -format reg -domain test.com -ca test-CA -published "ESC13, ESC9, ESC7_CERTMGR, ESC4, ESC3_CRA, ESC3, ESC2, ESC1, DirectoryEmailReplication, DomainControllerAuthentication, KerberosAuthentication, EFSRecovery, EFS, DomainController, WebServer, Machine, User, SubCA, Administrator" -sids "S-1-5-21-3291837554-245906837-2404182060-513,S-1-5-21-3291837554-245906837-2404182060-1104" adcs.reg

Reference: https://blog.compass-security.com/2025/02/stealthy-ad-cs-reconnaissance/