ADCS Abuse with Certipy: From Low-Priv User to Domain Admin via Certificate Services
Active Directory Certificate Services is installed in most enterprise networks — and almost always misconfigured. Here's how attackers exploit ESC1 through ESC8 with Certipy, and how to detect and stop them.