AD Certificate Services (ADCS) Trust Relationship Attacks When a user authenticates to a computer with unconstrained delegation, their TGT is saved to memory. R
Advanced Attacks covers sophisticated techniques targeting Active Directory environments, focusing on exploiting delegation configurations, Group Policy Objects (GPOs), AD Certificate Services (ADCS), and trust relationships. It details practical workflows for abusing misconfigurations like unconstrained delegation, vulnerable GPO permissions, and certificate template weaknesses to escalate privileges or persist access. The skill also explains how to leverage tools for forging Kerberos tickets and deploying malicious payloads through SCCM or WSUS.
This skill is designed for penetration testers and red team operators who need to simulate complex Active Directory attack scenarios. It also suits security engineers responsible for hardening enterprise AD infrastructures against privilege escalation and persistence risks. Incident responders investigating lateral movement patterns or suspicious certificate enrollments will find the detailed methods and tools referenced here highly relevant.
Practitioners begin by identifying vulnerable delegation settings or GPOs with weak ACLs that allow privilege escalation or arbitrary code execution. Next, they exploit these weaknesses using specialized tools like SharpGPOAbuse or pyGPOAbuse to add administrative rights or schedule malicious tasks. For ADCS, the workflow involves discovering misconfigured certificate templates, requesting certificates with elevated privileges, and using those for authentication or ticket forging. Finally, trust relationship attacks entail extracting trust keys and creating forged Kerberos tickets to move across domain boundaries or forests.
How do I find vulnerable GPOs to abuse? Use PowerShell commands to enumerate GPO ACLs for write permissions like GenericWrite or WriteDacl. Can I automate ADCS certificate requests? Yes, tools like Certipy enable scripted certificate requests against misconfigured templates. What is the difference between unconstrained delegation and constrained delegation attacks? Unconstrained delegation stores user TGTs in memory, enabling ticket theft, while constrained delegation limits service delegation but can still be abused with sufficient permissions.
Attach the Advanced Attacks skill to a Metaflow agent tasked with Active Directory security assessments or red team simulations. The agent will guide you through enumerating delegation settings, GPO permissions, ADCS templates, and trust relationships while suggesting specific exploitation commands and payloads. Expect detailed step-by-step workflows and tool references to help you execute or defend against these attack vectors effectively. This skill integrates seamlessly with related privilege escalation and certificate management workflows within Metaflow.
For broader context, see our roundup of marketing skills claude, and read common Claude Code content mistakes for related setup guidance.