Skip to content

0xGunrunner/ADCSPotato

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 

Repository files navigation

ADCSPotato

Automatically mine Certify AD CS output for non-standard low-priv principals and potential ESC1/2/3/4/7/17 paths, with JSON + Markdown reporting.

Built while working through Altered Security's CESP-ADCS, after realizing that Certify.exe's built-in attack path detection isn't as rich as Certipy, and Certipy can't easily highlight attack paths per-user unless you run it with that user's creds.

ADCSPotato parses Certify-style output plus a Users.txt list, finds "weird" users on CA/template ACLs, and reports possible ESC1/2/3/4/7/17 abuse paths in Markdown and JSON.

Huge thanks to Altered Security for the learning opportunity.


Input files

ADCSPotato expects two simple text files in the working directory:

  • Users.txt

    • One samAccountName per line.
    • Example:
      j.doe
      a.nguyen
      svc_backup
      
    • These are usually low-priv or “interesting” users you want to check for AD CS abuse paths.
  • Output.txt

    • The raw output of Certify.exe find redirected to a file.
    • Example:
      Certify.exe find > Output.txt
    • ADCSPotato parses this file to map your Users.txt list to potential ESC1/2/3/4/7/17 paths.

High-level workflow

  1. Run Certify.exe find against the target environment and save the output to Output.txt.
  2. Create Users.txt with one samAccountName per line for the users you care about.
  3. Run ADCSPotato.py in the same directory.
  4. Review the generated JSON / Markdown report for potential ESC1/2/3/4/7/17 attack paths.
Screenshot 2025-11-17 225410 Screenshot 2025-11-17 225752

About

Some python script I made during the course of preparing for CESP-ADCS

Resources

Stars

3 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages