daem0nc0re/Abusing_Weak_ACL_on_Certificate_Templates external links

---

GitHub - View repository

GitHub.dev - Open in online code editor

Star history - Growth chart over time

deps.dev - Dependencies and security vulnerabilities

Gitingest - Export source code for LLM usage

Repomix - Export source code for LLM usage

uithub - Export source code for LLM usage

Close

daem0nc0re/Abusing_Weak_ACL_on_Certificate_Templates

Readme badge preview -

If you own this repo, copy the snippet below and add it to your README.md

---

Copy

[![RelatedRepos](https://img.shields.io/badge/related-repos-yellow)](https://relatedrepos.com/gh/daem0nc0re/Abusing_Weak_ACL_on_Certificate_Templates)

Close

daem0nc0re / Abusing_Weak_ACL_on_Certificate_TemplatesView on GitHubMore

• External links
• Readme badge

Investigation about ACL abusing for Active Directory Certificate Services (AD CS)

☆136Oct 10, 2021Updated 4 years ago

Alternatives and similar repositories for Abusing_Weak_ACL_on_Certificate_Templates

Users that are interested in Abusing_Weak_ACL_on_Certificate_Templates are comparing it to the libraries listed below. We may earn a commission when you buy through links labeled 'Ad' on this page.

• simondotsh / DirSync

  View on GitHub
  DirSync is a simple proof of concept PowerShell module to demonstrate the impact of delegating DS-Replication-Get-Changes and DS-Replicat…
  ☆30Apr 26, 2023Updated 3 years ago
• fortalice / modifyCertTemplate

  View on GitHub
  ADCS cert template modification and ACL enumeration
  ☆145Jun 26, 2023Updated 3 years ago
• snovvcrash / RemoteRegSave

  View on GitHub
  A .NET implementation to dump SAM, SYSTEM, SECURITY registry hives from a remote host
  ☆41Dec 8, 2023Updated 2 years ago
• zer1t0 / certi

  View on GitHub
  ADCS abuser
  ☆321Feb 6, 2023Updated 3 years ago
• Coontzy1 / WSUScripts

  View on GitHub
  ☆24Sep 6, 2025Updated 9 months ago
• Proton VPN Special Offer - Get 70% off • Ad
  Special partner offer. Trusted by over 100 million users worldwide. Tested, Approved and Recommended by Experts.
• X-C3LL / GPOwned

  View on GitHub
  Buggy script to play with GPOs
  ☆131Dec 27, 2024Updated last year
• cube0x0 / SharpSystemTriggers

  View on GitHub
  Collection of remote authentication triggers in C#
  ☆533May 15, 2024Updated 2 years ago
• djhohnstein / SharpSC

  View on GitHub
  Simple .NET assembly to interact with services.
  ☆43Sep 27, 2019Updated 6 years ago
• knavesec / o365fedenum

  View on GitHub
  Federated Office365 user enumeration based on correlated response trend analysis
  ☆49May 3, 2022Updated 4 years ago
• med0x2e / NTLMRelay2Self

  View on GitHub
  An other No-Fix LPE, NTLMRelay2Self over HTTP (Webdav).
  ☆419Jan 27, 2024Updated 2 years ago
• ShutdownRepo / ShadowCoerce

  View on GitHub
  MS-FSRVP coercion abuse PoC
  ☆302Dec 30, 2021Updated 4 years ago
• klezVirus / SharpLdapRelayScan

  View on GitHub
  C# Port of LdapRelayScan
  ☆94Nov 26, 2025Updated 7 months ago
• eversinc33 / SharpStartWebclient

  View on GitHub
  Programmatically start WebClient from an unprivileged session to enable that juicy privesc.
  ☆79Feb 8, 2023Updated 3 years ago
• garrettfoster13 / aced

  View on GitHub
  ☆202Aug 28, 2025Updated 10 months ago
• Managed hosting for WordPress and PHP on Cloudways • Ad
  Managed hosting for WordPress, Magento, Laravel, or PHP apps, on multiple cloud providers. Deploy in minutes on Cloudways by DigitalOcean.
• Mr-Un1k0d3r / ADHuntTool

  View on GitHub
  official repo for the AdHuntTool (part of the old RedTeamCSharpScripts repo)
  ☆234Jun 10, 2022Updated 4 years ago
• xpn / sccmwtf

  View on GitHub
  ☆166Feb 8, 2025Updated last year
• mez-0 / CSharpWinRM

  View on GitHub
  .NET 4.0 WinRM API Command Execution
  ☆165Sep 11, 2020Updated 5 years ago
• bugch3ck / SharpLdapWhoami

  View on GitHub
  WhoAmI by asking the LDAP service on a domain controller.
  ☆66Feb 8, 2022Updated 4 years ago
• zyn3rgy / LdapRelayScan

  View on GitHub
  Check for LDAP protections regarding the relay of NTLM authentication
  ☆532Nov 19, 2024Updated last year
• nettitude / SharpWSUS

  View on GitHub
  ☆499Nov 20, 2022Updated 3 years ago
• mpgn / BackupOperatorToDA

  View on GitHub
  From an account member of the group Backup Operators to Domain Admin without RDP or WinRM on the Domain Controller
  ☆447Jan 4, 2025Updated last year
• login-securite / DonPAPI

  View on GitHub
  Dumping DPAPI credz remotely
  ☆1,384Mar 24, 2025Updated last year
• xpn / WAMBam

  View on GitHub
  Tooling related to the WAM Bam - Recovering Web Tokens From Office blog post
  ☆133Jan 14, 2023Updated 3 years ago
• Wordpress hosting with auto-scaling - Free Trial Offer • Ad
  Fully Managed hosting for WordPress and WooCommerce businesses that need reliable, auto-scalable performance. Cloudways SafeUpdates now available.
• zer1t0 / cerbero

  View on GitHub
  Kerberos protocol attacker
  ☆139Feb 1, 2021Updated 5 years ago
• horizon3ai / backup_dc_registry

  View on GitHub
  A simple POC that abuses Backup Operator privileges to remote dump SAM, SYSTEM, and SECURITY
  ☆94Feb 16, 2022Updated 4 years ago
• 0xe7 / RoastInTheMiddle

  View on GitHub
  ☆75Jun 17, 2025Updated last year
• Hagrid29 / DuplicateDump

  View on GitHub
  Dumping LSASS with a duplicated handle from custom LSA plugin
  ☆206Feb 23, 2022Updated 4 years ago
• Dec0ne / DavRelayUp

  View on GitHub
  DavRelayUp - a universal no-fix local privilege escalation in domain-joined windows workstations where LDAP signing is not enforced (the …
  ☆572Jun 5, 2023Updated 3 years ago
• c3c / ADExplorerSnapshot

  View on GitHub
  ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound via BOFHound, and also supports full-ob…
  ☆1,092Apr 29, 2026Updated 2 months ago
• G0ldenGunSec / GetWebDAVStatus

  View on GitHub
  Determine if the WebClient Service (WebDAV) is running on a remote system
  ☆147Mar 9, 2024Updated 2 years ago
• mdsecactivebreach / DragonCastle

  View on GitHub
  A PoC that combines AutodialDLL lateral movement technique and SSP to scrape NTLM hashes from LSASS process.
  ☆305Oct 26, 2022Updated 3 years ago
• temp43487580 / mprecon

  View on GitHub
  a small script to collect information from a management point
  ☆37Jan 19, 2026Updated 5 months ago
• Bare Metal GPUs on DigitalOcean Gradient AI • Ad
  Purpose-built for serious AI teams training foundational models, running large-scale inference, and pushing the boundaries of what's possible.
• RiccardoAncarani / LiquidSnake

  View on GitHub
  LiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript
  ☆347Sep 1, 2021Updated 4 years ago
• boku7 / xPipe

  View on GitHub
  Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions
  ☆97Mar 8, 2023Updated 3 years ago
• slemire / WSPCoerce

  View on GitHub
  PoC to coerce authentication from Windows hosts using MS-WSP
  ☆305Sep 7, 2023Updated 2 years ago
• Kevin-Robertson / Sharpmad

  View on GitHub
  C# version of Powermad
  ☆171Dec 5, 2023Updated 2 years ago
• x42en / sysplant

  View on GitHub
  Your Windows syscall hooking factory - feat Canterlot's Gate - All accessible over MCP
  ☆130Jun 20, 2026Updated last week
• CCob / lsarelayx

  View on GitHub
  NTLM relaying for Windows made easy
  ☆582Apr 25, 2023Updated 3 years ago
• mgeeky / ElusiveMice

  View on GitHub
  Cobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind
  ☆491Jul 12, 2023Updated 2 years ago