CertiHound - AD CS Enumeration for BloodHound Cheatsheet
CertiHound is an Active Directory Certificate Services (AD CS) enumeration tool that collects certificate-template and CA configuration over LDAP and exports it in BloodHound CE-compatible format. It adds PKI nodes and certificate-abuse edges (the ESC1–ESC-style attack paths) to your BloodHound graph, so certificate-based privilege escalation shows up alongside the classic AD attack paths. It fills the gap between Certipy’s ADCS abuse and BloodHound’s attack-path visualization.
For authorized assessments only. Enumerating AD CS requires domain credentials and permission.
Installation
| Method | Command |
|---|
| pip | pip install certihound |
| From source | git clone the repo, then pip install -e . |
| Requirement | LDAP access to the domain; BloodHound CE v6 to view |
| Verify | certihound --help |
Collecting AD CS Data
certihound -u analyst -p '***' -d example.local \
-dc dc01.example.local -o output/
| Flag | Purpose |
|---|
-u, --username | Domain user |
-p, --password | Password (or hash/Kerberos) |
-d, --domain | Target domain |
-dc, --domain-controller | DC to query over LDAP |
-o, --output | Output directory for JSON |
--ldaps | Use LDAPS (636) |
Output is a set of JSON files you import into BloodHound CE.
What It Enumerates
| AD CS object | Why it matters |
|---|
| Certificate Authorities | Enrollment/CA config, web enrollment |
| Certificate templates | The heart of ESC misconfigurations |
| Enrollment rights | Who can request which templates |
| Template flags | ENROLLEE_SUPPLIES_SUBJECT, EKUs, etc. |
| CA permissions | ManageCA / ManageCertificates rights |
ESC Attack Paths Surfaced
| ESC | Misconfiguration |
|---|
| ESC1 | Template lets enrollee supply subject + auth EKU |
| ESC2 | Any-purpose EKU template |
| ESC3 | Enrollment agent templates |
| ESC4 | Vulnerable template ACLs (writeable templates) |
| ESC6 | EDITF_ATTRIBUTESUBJECTALTNAME2 on the CA |
| ESC7 | Vulnerable CA permissions |
| ESC8 | NTLM relay to AD CS web enrollment |
CertiHound encodes these as edges so BloodHound can path from a low-priv user to Domain Admin through a certificate abuse.
Import into BloodHound CE
| Step | How |
|---|
| 1 | Run CertiHound to produce JSON |
| 2 | In BloodHound CE, upload the JSON via the ingest UI/API |
| 3 | PKI nodes/edges appear in the graph |
| 4 | Query paths to high-value targets that traverse AD CS |
Common Workflows
# Enumerate AD CS and load certificate attack paths into BloodHound CE
certihound -u audit -p '***' -d corp.local -dc dc.corp.local -o adcs/
# → upload adcs/*.json into BloodHound CE, then query
# "shortest path to Domain Admins" including PKI edges
# Combine with Certipy for the actual abuse once a path is found
| Tool | Role |
|---|
| CertiHound | Enumerate AD CS → BloodHound CE graph |
| Certipy | Enumerate and abuse ESC1–ESC17 |
| BloodHound | Visualize/query the attack paths |
| NetExec | Broader AD collection + relaying |
Resources