ThePorgs · ShutdownRepo · Oct 25, 2023 · Oct 25, 2023
diff --git a/sources/assets/bloodhound/customqueries.json b/sources/assets/bloodhound/customqueries.json
@@ -739,6 +739,36 @@
                 "query": "MATCH (n:GPO) WHERE n.type = 'Enrollment Service' and n.`Web Enrollment` = 'Enabled' RETURN n"
             }]
         },
+        {
+            "name": "Find Unsecured Certificate Templates (ESC9)",
+            "category": "AD CS Domain Escalation",
+            "queryList": [
+                {
+                "final": true,
+                "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and n.`Enrollee Supplies Subject` = true and n.`Client Authentication` = true and n.`Enabled` = true  RETURN n"
+                }
+            ]
+        },
+        {
+            "name": "Find Unsecured Certificate Templates (ESC9)",
+            "category": "AD CS Domain Escalation",
+            "queryList": [
+                {
+                "final": true,
+                "query": "MATCH (n:GPO) WHERE n.type = 'Certificate Template' and 'NoSecurityExtension' in n.`Enrollment Flag` and n.`Enabled` = true  RETURN n"
+                }
+            ]
+        },
+        {
+            "name": "Shortest Paths to Unsecured Certificate Templates from Owned Principals (ESC9)",
+            "category": "AD CS Domain Escalation",
+            "queryList": [
+                {
+                "final": true,
+                "query": "MATCH p=allShortestPaths((g {owned:true})-[r*1..]->(n:GPO)) WHERE n.type = 'Certificate Template' and g<>n and 'NoSecurityExtension' in n.`Enrollment Flag` and n.`Enabled` = true and NONE(rel in r WHERE type(rel) in ['EnabledBy','Read','ManageCa','ManageCertificates']) return p"
+                }
+            ]
+        },
         {
 			"name": "Find users with a plaintext attribute that can RDP into something",
 			"category": "PlainText Password Queries",