Identify

From Windows

Check if “Cert Publishers” group exists (checks if ADCS is enabled)

net localgroup "Cert Publishers"

Local

Use cerify.exe

.\Certify.exe find /vulnerable

Local - https://github.com/Flangvik/SharpCollection/blob/master/NetFramework_4.7_x64/Certify.exe

Powershell

Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=Domain,DC=local'

From Linux

NetExec

nxc ldap <IP> -u "user" -p "Password123!" -M adcs

Remote

Certipy

certipy find -u 'user@domain.local' -p 'Password123!' -dc-ip <IP> -vulnerable -stdout

Remote