Skip to content

CertiHound - AD CS Enumeration for BloodHound Cheatsheet

CertiHound - AD CS Enumeration for BloodHound Cheatsheet

CertiHound is an Active Directory Certificate Services (AD CS) enumeration tool that collects certificate-template and CA configuration over LDAP and exports it in BloodHound CE-compatible format. It adds PKI nodes and certificate-abuse edges (the ESC1–ESC-style attack paths) to your BloodHound graph, so certificate-based privilege escalation shows up alongside the classic AD attack paths. It fills the gap between Certipy’s ADCS abuse and BloodHound’s attack-path visualization.

For authorized assessments only. Enumerating AD CS requires domain credentials and permission.

Installation

MethodCommand
pippip install certihound
From sourcegit clone the repo, then pip install -e .
RequirementLDAP access to the domain; BloodHound CE v6 to view
Verifycertihound --help

Collecting AD CS Data

certihound -u analyst -p '***' -d example.local \
  -dc dc01.example.local -o output/
FlagPurpose
-u, --usernameDomain user
-p, --passwordPassword (or hash/Kerberos)
-d, --domainTarget domain
-dc, --domain-controllerDC to query over LDAP
-o, --outputOutput directory for JSON
--ldapsUse LDAPS (636)

Output is a set of JSON files you import into BloodHound CE.

What It Enumerates

AD CS objectWhy it matters
Certificate AuthoritiesEnrollment/CA config, web enrollment
Certificate templatesThe heart of ESC misconfigurations
Enrollment rightsWho can request which templates
Template flagsENROLLEE_SUPPLIES_SUBJECT, EKUs, etc.
CA permissionsManageCA / ManageCertificates rights

ESC Attack Paths Surfaced

ESCMisconfiguration
ESC1Template lets enrollee supply subject + auth EKU
ESC2Any-purpose EKU template
ESC3Enrollment agent templates
ESC4Vulnerable template ACLs (writeable templates)
ESC6EDITF_ATTRIBUTESUBJECTALTNAME2 on the CA
ESC7Vulnerable CA permissions
ESC8NTLM relay to AD CS web enrollment

CertiHound encodes these as edges so BloodHound can path from a low-priv user to Domain Admin through a certificate abuse.

Import into BloodHound CE

StepHow
1Run CertiHound to produce JSON
2In BloodHound CE, upload the JSON via the ingest UI/API
3PKI nodes/edges appear in the graph
4Query paths to high-value targets that traverse AD CS

Common Workflows

# Enumerate AD CS and load certificate attack paths into BloodHound CE
certihound -u audit -p '***' -d corp.local -dc dc.corp.local -o adcs/
# → upload adcs/*.json into BloodHound CE, then query
#   "shortest path to Domain Admins" including PKI edges

# Combine with Certipy for the actual abuse once a path is found

CertiHound in the AD CS Toolkit

ToolRole
CertiHoundEnumerate AD CS → BloodHound CE graph
CertipyEnumerate and abuse ESC1–ESC17
BloodHoundVisualize/query the attack paths
NetExecBroader AD collection + relaying

Resources