Alternatives and similar repositories for Abusing_Weak_ACL_on_Certificate_Templates

Users that are interested in Abusing_Weak_ACL_on_Certificate_Templates are comparing it to the libraries listed below

• simondotsh / DirSync

  View on GitHub
  DirSync is a simple proof of concept PowerShell module to demonstrate the impact of delegating DS-Replication-Get-Changes and DS-Replicat…
  ☆29Apr 26, 2023Updated 2 years ago
• zer1t0 / certi

  View on GitHub
  ADCS abuser
  ☆313Feb 6, 2023Updated 3 years ago
• fortalice / modifyCertTemplate

  View on GitHub
  ADCS cert template modification and ACL enumeration
  ☆144Jun 26, 2023Updated 2 years ago
• cube0x0 / SharpSystemTriggers

  View on GitHub
  Collection of remote authentication triggers in C#
  ☆524May 15, 2024Updated last year
• X-C3LL / GPOwned

  View on GitHub
  Buggy script to play with GPOs
  ☆122Dec 27, 2024Updated last year
• snovvcrash / RemoteRegSave

  View on GitHub
  A .NET implementation to dump SAM, SYSTEM, SECURITY registry hives from a remote host
  ☆41Dec 8, 2023Updated 2 years ago
• xpn / sccmwtf

  View on GitHub
  ☆160Feb 8, 2025Updated last year
• djhohnstein / SharpSC

  View on GitHub
  Simple .NET assembly to interact with services.
  ☆43Sep 27, 2019Updated 6 years ago
• med0x2e / NTLMRelay2Self

  View on GitHub
  An other No-Fix LPE, NTLMRelay2Self over HTTP (Webdav).
  ☆417Jan 27, 2024Updated 2 years ago
• eversinc33 / SharpStartWebclient

  View on GitHub
  Programmatically start WebClient from an unprivileged session to enable that juicy privesc.
  ☆77Feb 8, 2023Updated 3 years ago
• knavesec / o365fedenum

  View on GitHub
  Federated Office365 user enumeration based on correlated response trend analysis
  ☆50May 3, 2022Updated 3 years ago
• ShutdownRepo / ShadowCoerce

  View on GitHub
  MS-FSRVP coercion abuse PoC
  ☆305Dec 30, 2021Updated 4 years ago
• 0xe7 / RoastInTheMiddle

  View on GitHub
  ☆74Jun 17, 2025Updated 8 months ago
• Mr-Un1k0d3r / ADHuntTool

  View on GitHub
  official repo for the AdHuntTool (part of the old RedTeamCSharpScripts repo)
  ☆232Jun 10, 2022Updated 3 years ago
• bugch3ck / SharpLdapWhoami

  View on GitHub
  WhoAmI by asking the LDAP service on a domain controller.
  ☆64Feb 8, 2022Updated 4 years ago
• nettitude / SharpWSUS

  View on GitHub
  ☆477Nov 20, 2022Updated 3 years ago
• Coontzy1 / WSUScripts

  View on GitHub
  ☆20Sep 6, 2025Updated 5 months ago
• mpgn / BackupOperatorToDA

  View on GitHub
  From an account member of the group Backup Operators to Domain Admin without RDP or WinRM on the Domain Controller
  ☆439Jan 4, 2025Updated last year
• xpn / WAMBam

  View on GitHub
  Tooling related to the WAM Bam - Recovering Web Tokens From Office blog post
  ☆130Jan 14, 2023Updated 3 years ago
• horizon3ai / backup_dc_registry

  View on GitHub
  A simple POC that abuses Backup Operator privileges to remote dump SAM, SYSTEM, and SECURITY
  ☆89Feb 16, 2022Updated 4 years ago
• zer1t0 / cerbero

  View on GitHub
  Kerberos protocol attacker
  ☆140Feb 1, 2021Updated 5 years ago
• Hagrid29 / DuplicateDump

  View on GitHub
  Dumping LSASS with a duplicated handle from custom LSA plugin
  ☆204Feb 23, 2022Updated 3 years ago
• garrettfoster13 / aced

  View on GitHub
  ☆197Aug 28, 2025Updated 5 months ago
• Dec0ne / DavRelayUp

  View on GitHub
  DavRelayUp - a universal no-fix local privilege escalation in domain-joined windows workstations where LDAP signing is not enforced (the …
  ☆565Jun 5, 2023Updated 2 years ago
• Kevin-Robertson / Sharpmad

  View on GitHub
  C# version of Powermad
  ☆170Dec 5, 2023Updated 2 years ago
• mdsecactivebreach / DragonCastle

  View on GitHub
  A PoC that combines AutodialDLL lateral movement technique and SSP to scrape NTLM hashes from LSASS process.
  ☆301Oct 26, 2022Updated 3 years ago
• G0ldenGunSec / GetWebDAVStatus

  View on GitHub
  Determine if the WebClient Service (WebDAV) is running on a remote system
  ☆142Mar 9, 2024Updated last year
• mez-0 / CSharpWinRM

  View on GitHub
  .NET 4.0 WinRM API Command Execution
  ☆166Sep 11, 2020Updated 5 years ago
• zyn3rgy / LdapRelayScan

  View on GitHub
  Check for LDAP protections regarding the relay of NTLM authentication
  ☆532Nov 19, 2024Updated last year
• RedSiege / SharpCollectionTemplate

  View on GitHub
  ☆14Sep 26, 2023Updated 2 years ago
• slemire / WSPCoerce

  View on GitHub
  PoC to coerce authentication from Windows hosts using MS-WSP
  ☆302Sep 7, 2023Updated 2 years ago
• klezVirus / SharpLdapRelayScan

  View on GitHub
  C# Port of LdapRelayScan
  ☆91Nov 26, 2025Updated 2 months ago
• x42en / sysplant

  View on GitHub
  Your syscall factory
  ☆126Jan 13, 2026Updated last month
• c3c / ADExplorerSnapshot

  View on GitHub
  ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound via BOFHound, and also supports full-ob…
  ☆1,050Jan 22, 2026Updated 3 weeks ago
• zer1t0 / ntlm-info

  View on GitHub
  Retrieve host information from NTLM
  ☆32Feb 4, 2021Updated 5 years ago
• ShutdownRepo / pywhisker

  View on GitHub
  Python version of the C# tool for "Shadow Credentials" attacks
  ☆851Feb 1, 2026Updated 2 weeks ago
• RiccardoAncarani / LiquidSnake

  View on GitHub
  LiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript
  ☆347Sep 1, 2021Updated 4 years ago
• mlcsec / ASRenum-BOF

  View on GitHub
  Cobalt Strike BOF that identifies Attack Surface Reduction (ASR) rules, actions, and exclusion locations
  ☆160Mar 1, 2024Updated last year
• EspressoCake / PPLDump_BOF

  View on GitHub
  A faithful transposition of the key features/functionality of @itm4n's PPLDump project as a BOF.
  ☆143Sep 24, 2021Updated 4 years ago