{
	"id": "6ca6cdae-6e5a-4a6b-8b66-984210614e56",
	"created_at": "2026-04-06T00:06:35.892998Z",
	"updated_at": "2026-04-10T13:11:21.005322Z",
	"deleted_at": null,
	"sha1_hash": "2002416e2288bdbf4a1baf461a895eb496ea4640",
	"title": "GitHub - GhostPack/Certify: Active Directory certificate abuse.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 69037,
	"plain_text": "GitHub - GhostPack/Certify: Active Directory certificate abuse.\r\nBy bytewreck\r\nArchived: 2026-04-05 21:56:54 UTC\r\nCertify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).\r\n@harmj0y and @tifkin_ are the primary authors of Certify and the the associated AD CS research (blog and\r\nwhitepaper).\r\nTable of Contents\r\nCertify\r\nUsage\r\nDefensive Considerations\r\nCompile Instructions\r\nSidenote: Running Certify Through PowerShell\r\nSidenote Sidenote: Running Certify Over PSRemoting\r\nReflections\r\nAcknowledgments\r\nUsage\r\nA command overview and comprehensive usage details can be found on the wiki.\r\nDefensive Considerations\r\nCertify was released at Black Hat 2021 with our \"Certified Pre-Owned: Abusing Active Directory Certificate\r\nServices\" talk.\r\nSee our whitepaper for prevention and detection guidance.\r\nCompile Instructions\r\nWe are not planning on releasing binaries for Certify, so you will have to compile yourself :)\r\nCertify has been built against .NET 4.7.2 and is compatible with Visual Studio 2022 Community Edition. Simply\r\nopen up the project .sln, choose \"Release\", and build.\r\nSidenote: Running Certify Through PowerShell\r\nIf you want to run Certify in-memory through a PowerShell wrapper, first compile the Certify and base64-encode\r\nthe resulting assembly:\r\nhttps://github.com/GhostPack/Certify/\r\nPage 1 of 3\n\n[Convert]::ToBase64String([IO.File]::ReadAllBytes(\"C:\\Temp\\Certify.exe\")) | Out-File -Encoding ASCII C:\\Temp\\Ce\r\nCertify can then be loaded in a PowerShell script with the following (where \"aa...\" is replaced with the base64-\r\nencoded Certify assembly string):\r\n$CertifyAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String(\"aa...\"))\r\nThe Main() method and any arguments can then be invoked as follows:\r\n[Certify.Program]::Main(\"enum-templates --filter-enabled --filter-vulnerable\".Split())\r\nSidenote Sidenote: Running Certify Over PSRemoting\r\nDue to the way PSRemoting handles output, we need to redirect stdout to a string and return that instead. Luckily,\r\nCertify has a function to help with that.\r\nIf you follow the instructions in Sidenote: Running Certify Through PowerShell to create a Certify.ps1, append\r\nsomething like the following to the script:\r\n[Certify.Program]::MainString(\"enum-templates --filter-enabled --filter-vulnerable\")\r\nYou should then be able to run Certify over PSRemoting with something like the following:\r\n$s = New-PSSession dc.theshire.local\r\nInvoke-Command -Session $s -FilePath C:\\Temp\\Certify.ps1\r\nAlternatively, Certify's /outfile:C:\\FILE.txt argument will redirect all output streams to the specified file.\r\nReflections\r\nOn the subject of public disclosure, we self-embargoed the release of our offensive tooling (Certify as well as\r\nForgeCert) for ~45 days after we published our whitepaper in order to give organizations a chance to get a grip on\r\nthe issues surrounding Active Directory Certificate Services. We also preemptively released some Yara rules/IOCs\r\nfor both projects and released the defensive-focused PSPKIAudit PowerShell project along with the whitepaper.\r\nHowever, we have found that organizations and vendors have historically often not fixed issues or built detections\r\nfor \"theoretical\" attacks until someone proves something is possible with a proof of concept.\r\nAcknowledgments\r\nCertify used a few resources found online as reference and inspiration:\r\nThis post on requesting certificates from C#.\r\nhttps://github.com/GhostPack/Certify/\r\nPage 2 of 3\n\nThis gist for SAN specification.\r\nThis StackOverflow post on exporting private keys.\r\nThis PKISolutions post on converting pkiExpirationPeriod.\r\nThis section of MS-CSRA describing enrollment agent security DACLs.\r\nThe AD CS work was built on work from a number of others. The whitepaper has a complete treatment, but to\r\nsummarize:\r\nBenjamin Delpy for his extensive work on smart cards/certificates with Mimikatz and Kekeo.\r\nPKI Solutions for their excellent posts on PKI in Active Directory, as well as their PSPKI PowerShell\r\nmodule, which our auditing toolkit is based on.\r\nThe \"Windows Server 2008 – PKI and Certificate Security\" book by Brian Komar.\r\nThe following open technical specifications provided by Microsoft:\r\n[MS-CERSOD]: Certificate Services Protocols Overview\r\n[MS-CRTD]: Certificate Templates Structure\r\n[MS-CSRA]: Certificate Services Remote Administration Protocol\r\n[MS-ICPR]: ICertPassage Remote Protocol\r\n[MS-WCCE]: Windows Client Certificate Enrollment Protocol\r\nChristoph Falta's GitHub repo which covers some details on attacking certificate templates, including\r\nvirtual smart cards as well as some ideas on ACL based abuses.\r\nCQURE's \"The tale of Enhanced Key (mis)Usage\" post which covers some Subject Alternative Name\r\nabuses.\r\nKeyfactor's 2016 post \"Hidden Dangers: Certificate Subject Alternative Names (SANs)\"\r\n@Elkement's posts \"Sizzle @ hackthebox – Unintended: Getting a Logon Smartcard for the Domain\r\nAdmin!\" and \"Impersonating a Windows Enterprise Admin with a Certificate: Kerberos PKINIT from\r\nLinux\" detail certificate template misconfigurations.\r\nCarl Sörqvist wrote up a detailed, and plausible, scenario for how some of these misconfigurations happen\r\ntitled \"Supply in the Request Shenanigans\".\r\nCeri Coburn released an excellent post in 2020 on \"Attacking Smart Card Based Active Directory\r\nNetworks\" detailing some smart card abuse and Certify additions.\r\nBrad Hill published a whitepaper titled \"Weaknesses and Best Practices of Public Key Kerberos with Smart\r\nCards\" which provided some good background on Kerberos/PKINIT from a security perspective.\r\nSource: https://github.com/GhostPack/Certify/\r\nhttps://github.com/GhostPack/Certify/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/GhostPack/Certify/"
	],
	"report_names": [
		"Certify"
	],
	"threat_actors": [],
	"ts_created_at": 1775433995,
	"ts_updated_at": 1775826681,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2002416e2288bdbf4a1baf461a895eb496ea4640.pdf",
		"text": "https://archive.orkl.eu/2002416e2288bdbf4a1baf461a895eb496ea4640.txt",
		"img": "https://archive.orkl.eu/2002416e2288bdbf4a1baf461a895eb496ea4640.jpg"
	}
}