daem0nc0re/Abusing_Weak_ACL_on_Certificate_Templates external links

---

GitHub - View repository

GitHub.dev - Open in online code editor

Star history - Growth chart over time

deps.dev - Dependencies and security vulnerabilities

Gitingest - Export source code for LLM usage

Repomix - Export source code for LLM usage

uithub - Export source code for LLM usage

Close

daem0nc0re/Abusing_Weak_ACL_on_Certificate_Templates

Readme badge preview -

If you own this repo, copy the snippet below and add it to your README.md

---

Copy

[![RelatedRepos](https://img.shields.io/badge/related-repos-yellow)](https://relatedrepos.com/gh/daem0nc0re/Abusing_Weak_ACL_on_Certificate_Templates)

Close

daem0nc0re / Abusing_Weak_ACL_on_Certificate_TemplatesView on GitHubMore

• External links
• Readme badge

Investigation about ACL abusing for Active Directory Certificate Services (AD CS)

☆134Oct 10, 2021Updated 4 years ago

Alternatives and similar repositories for Abusing_Weak_ACL_on_Certificate_Templates

Users that are interested in Abusing_Weak_ACL_on_Certificate_Templates are comparing it to the libraries listed below. We may earn a commission when you buy through links labeled 'Ad' on this page.

• simondotsh / DirSync

  View on GitHub
  DirSync is a simple proof of concept PowerShell module to demonstrate the impact of delegating DS-Replication-Get-Changes and DS-Replicat…
  ☆30Apr 26, 2023Updated 3 years ago
• fortalice / modifyCertTemplate

  View on GitHub
  ADCS cert template modification and ACL enumeration
  ☆145Jun 26, 2023Updated 2 years ago
• snovvcrash / RemoteRegSave

  View on GitHub
  A .NET implementation to dump SAM, SYSTEM, SECURITY registry hives from a remote host
  ☆41Dec 8, 2023Updated 2 years ago
• zer1t0 / certi

  View on GitHub
  ADCS abuser
  ☆321Feb 6, 2023Updated 3 years ago
• Coontzy1 / WSUScripts

  View on GitHub
  ☆24Sep 6, 2025Updated 8 months ago
• Managed Database hosting by DigitalOcean • Ad
  PostgreSQL, MySQL, MongoDB, Kafka, Valkey, and OpenSearch available. Automatically scale up storage and focus on building your apps.
• X-C3LL / GPOwned

  View on GitHub
  Buggy script to play with GPOs
  ☆127Dec 27, 2024Updated last year
• cube0x0 / SharpSystemTriggers

  View on GitHub
  Collection of remote authentication triggers in C#
  ☆529May 15, 2024Updated 2 years ago
• djhohnstein / SharpSC

  View on GitHub
  Simple .NET assembly to interact with services.
  ☆43Sep 27, 2019Updated 6 years ago
• knavesec / o365fedenum

  View on GitHub
  Federated Office365 user enumeration based on correlated response trend analysis
  ☆49May 3, 2022Updated 4 years ago
• med0x2e / NTLMRelay2Self

  View on GitHub
  An other No-Fix LPE, NTLMRelay2Self over HTTP (Webdav).
  ☆419Jan 27, 2024Updated 2 years ago
• ShutdownRepo / ShadowCoerce

  View on GitHub
  MS-FSRVP coercion abuse PoC
  ☆302Dec 30, 2021Updated 4 years ago
• klezVirus / SharpLdapRelayScan

  View on GitHub
  C# Port of LdapRelayScan
  ☆93Nov 26, 2025Updated 5 months ago
• eversinc33 / SharpStartWebclient

  View on GitHub
  Programmatically start WebClient from an unprivileged session to enable that juicy privesc.
  ☆78Feb 8, 2023Updated 3 years ago
• garrettfoster13 / aced

  View on GitHub
  ☆199Aug 28, 2025Updated 8 months ago
• Deploy on Railway without the complexity - Free Credits Offer • Ad
  Connect your repo and Railway handles the rest with instant previews. Quickly provision container image services, databases, and storage volumes.
• Mr-Un1k0d3r / ADHuntTool

  View on GitHub
  official repo for the AdHuntTool (part of the old RedTeamCSharpScripts repo)
  ☆234Jun 10, 2022Updated 3 years ago
• xpn / sccmwtf

  View on GitHub
  ☆163Feb 8, 2025Updated last year
• mez-0 / CSharpWinRM

  View on GitHub
  .NET 4.0 WinRM API Command Execution
  ☆165Sep 11, 2020Updated 5 years ago
• bugch3ck / SharpLdapWhoami

  View on GitHub
  WhoAmI by asking the LDAP service on a domain controller.
  ☆66Feb 8, 2022Updated 4 years ago
• zyn3rgy / LdapRelayScan

  View on GitHub
  Check for LDAP protections regarding the relay of NTLM authentication
  ☆532Nov 19, 2024Updated last year
• nettitude / SharpWSUS

  View on GitHub
  ☆491Nov 20, 2022Updated 3 years ago
• mpgn / BackupOperatorToDA

  View on GitHub
  From an account member of the group Backup Operators to Domain Admin without RDP or WinRM on the Domain Controller
  ☆443Jan 4, 2025Updated last year
• login-securite / DonPAPI

  View on GitHub
  Dumping DPAPI credz remotely
  ☆1,368Mar 24, 2025Updated last year
• xpn / WAMBam

  View on GitHub
  Tooling related to the WAM Bam - Recovering Web Tokens From Office blog post
  ☆131Jan 14, 2023Updated 3 years ago
• AI Agents on DigitalOcean Gradient AI Platform • Ad
  Build production-ready AI agents using customizable tools or access multiple LLMs through a single endpoint. Create custom knowledge bases or connect external data.
• zer1t0 / cerbero

  View on GitHub
  Kerberos protocol attacker
  ☆139Feb 1, 2021Updated 5 years ago
• horizon3ai / backup_dc_registry

  View on GitHub
  A simple POC that abuses Backup Operator privileges to remote dump SAM, SYSTEM, and SECURITY
  ☆91Feb 16, 2022Updated 4 years ago
• 0xe7 / RoastInTheMiddle

  View on GitHub
  ☆75Jun 17, 2025Updated 11 months ago
• Hagrid29 / DuplicateDump

  View on GitHub
  Dumping LSASS with a duplicated handle from custom LSA plugin
  ☆206Feb 23, 2022Updated 4 years ago
• Dec0ne / DavRelayUp

  View on GitHub
  DavRelayUp - a universal no-fix local privilege escalation in domain-joined windows workstations where LDAP signing is not enforced (the …
  ☆575Jun 5, 2023Updated 2 years ago
• c3c / ADExplorerSnapshot

  View on GitHub
  ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound via BOFHound, and also supports full-ob…
  ☆1,082Apr 29, 2026Updated 3 weeks ago
• G0ldenGunSec / GetWebDAVStatus

  View on GitHub
  Determine if the WebClient Service (WebDAV) is running on a remote system
  ☆147Mar 9, 2024Updated 2 years ago
• mdsecactivebreach / DragonCastle

  View on GitHub
  A PoC that combines AutodialDLL lateral movement technique and SSP to scrape NTLM hashes from LSASS process.
  ☆303Oct 26, 2022Updated 3 years ago
• temp43487580 / mprecon

  View on GitHub
  a small script to collect information from a management point
  ☆37Jan 19, 2026Updated 4 months ago
• Virtual machines for every use case on DigitalOcean • Ad
  Get dependable uptime with 99.99% SLA, simple security tools, and predictable monthly pricing with DigitalOcean's virtual machines, called Droplets.
• RiccardoAncarani / LiquidSnake

  View on GitHub
  LiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript
  ☆347Sep 1, 2021Updated 4 years ago
• boku7 / xPipe

  View on GitHub
  Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions
  ☆97Mar 8, 2023Updated 3 years ago
• slemire / WSPCoerce

  View on GitHub
  PoC to coerce authentication from Windows hosts using MS-WSP
  ☆307Sep 7, 2023Updated 2 years ago
• Kevin-Robertson / Sharpmad

  View on GitHub
  C# version of Powermad
  ☆171Dec 5, 2023Updated 2 years ago
• x42en / sysplant

  View on GitHub
  Your Windows syscall hooking factory - feat Canterlot's Gate - All accessible over MCP
  ☆130May 11, 2026Updated last week
• CCob / lsarelayx

  View on GitHub
  NTLM relaying for Windows made easy
  ☆582Apr 25, 2023Updated 3 years ago
• mgeeky / ElusiveMice

  View on GitHub
  Cobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind
  ☆489Jul 12, 2023Updated 2 years ago