Automatically mine Certify AD CS output for non-standard low-priv principals and potential ESC1/2/3/4/7/17 paths, with JSON + Markdown reporting.
Built while working through Altered Security's CESP-ADCS, after realizing that Certify.exe's built-in attack path detection isn't as rich as Certipy, and Certipy can't easily highlight attack paths per-user unless you run it with that user's creds.
ADCSPotato parses Certify-style output plus a Users.txt list, finds "weird" users on CA/template ACLs, and reports possible ESC1/2/3/4/7/17 abuse paths in Markdown and JSON.
Huge thanks to Altered Security for the learning opportunity.
ADCSPotato expects two simple text files in the working directory:
-
Users.txt- One
samAccountNameper line. - Example:
j.doe a.nguyen svc_backup - These are usually low-priv or “interesting” users you want to check for AD CS abuse paths.
- One
-
Output.txt- The raw output of
Certify.exe findredirected to a file. - Example:
Certify.exe find > Output.txt
- ADCSPotato parses this file to map your
Users.txtlist to potential ESC1/2/3/4/7/17 paths.
- The raw output of
- Run
Certify.exe findagainst the target environment and save the output toOutput.txt. - Create
Users.txtwith onesamAccountNameper line for the users you care about. - Run
ADCSPotato.pyin the same directory. - Review the generated JSON / Markdown report for potential ESC1/2/3/4/7/17 attack paths.