Rapid7’s 2026 Global Cybersecurity Summit is now available on-demand.Watch sessions.
Rapid7

module

Exploits AD CS Template misconfigurations which involve updating an LDAP object: ESC9, ESC10, and ESC16

Disclosed
N/A
Created
Jul 31, 2025

Description

This module exploits Active Directory Certificate Services (AD CS) template misconfigurations, specifically
ESC9, ESC10, and ESC16, by updating an LDAP object and requesting a certificate on behalf of a target user.
The module leverages the auxiliary/admin/ldap/ldap_object_attribute module to update the LDAP object and the
admin/ldap/shadow_credentials module to add shadow credentials for the target user if the target password is
not provided. It then uses the admin/kerberos/get_ticket module to retrieve the NTLM hash of the target user
and requests a certificate via MS-ICPR. The resulting certificate can be used for various operations, such as
authentication.

The module ensures that any changes made by the ldap_object_attribute or shadow_credentials module are
reverted after execution to maintain system integrity.

Authors

Will Schroeder
Lee Christensen
Oliver Lyak
Spencer McIntyre
jheysel-r7

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


msf > use auxiliary/admin/dcerpc/esc_update_ldap_object
msf auxiliary(esc_update_ldap_object) > show actions
...actions...
msf auxiliary(esc_update_ldap_object) > set ACTION < action-name >
msf auxiliary(esc_update_ldap_object) > show options
...show and set options...
msf auxiliary(esc_update_ldap_object) > run

Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.