en es ja ko zh

BloodHound MCP

by stevenyu113228

Overview Schema Related Servers Score Discussions

Python

Hybrid

list_esc2_vulnerable_certificate_templates

Identify ESC2 vulnerable certificate templates in Active Directory to detect security risks requiring remediation.

Instructions

List ESC2 vulnerable Certificate Template(s) [Required: Certipy]

Input Schema

TableJSON Schema

Name	Required	Description	Default
`domain`	Yes

Install Server

Other Tools

computers_with_most_sessions
find_all_enabled_as_rep_roastable_users
find_all_enabled_kerberoastable_users
find_all_owned_groups_granting_network_share_access
find_allshortestpaths_with_dcsync_to_domain
find_allshortestpaths_with_shadow_credential_permission
find_azure_app_owners_with_dangerous_rights
find_enabled_certificate_templates
find_owned_users_with_azure_tenancy_access
find_owned_users_with_group_granted_azure_access
find_paths_dangerous_rights_to_adminsdholder
list_all_aad_groups_synchronized_with_ad
list_all_ad_principals_with_edges_to_azure_principals
list_all_authenticated_users_group_memberships
list_all_certificate_templates
list_all_cross_domain_user_sessions_and_memberships
list_all_domain_users_group_memberships
list_all_enabled_azure_users
list_all_enabled_azure_users_group_memberships
list_all_enabled_users_logged_in_last_90_days
list_all_enabled_users_never_logged_in
list_all_enabled_users_set_password_last_90_days
list_all_enabled_users_with_foreign_group_membership
list_all_enabled_users_with_no_password_required
list_all_enabled_users_with_password_never_expires
list_all_enabled_users_with_userpassword_attribute
list_all_enrollment_rights_for_certificate_templates
list_all_gpos
list_all_groups
list_all_owned_computers
list_all_owned_enabled_users
list_all_owned_enabled_users_with_email
list_all_owned_enabled_users_with_rdp_and_sessions
list_all_owned_enabled_users_with_sqladmin
list_all_owned_users
list_all_principals_used_for_syncing_ad_and_aad
list_all_principals_with_local_admin_permission
list_all_principals_with_rdp_permission
list_all_principals_with_sqladmin_permission
list_all_tenancy
list_all_user_sessions
list_all_users_with_description_field
list_certificate_authority_servers
list_computers_without_laps
list_custom_privileged_groups
list_domain_computers
list_domain_controllers
list_domains
list_domain_trusts
list_enabled_non_privileged_users_with_local_admin
list_enabled_non_privileged_users_with_rdp
list_enabled_non_privileged_users_with_rdp_and_sessions
list_enabled_non_privileged_users_with_sqladmin
list_enabled_principals_with_constrained_delegation
list_enabled_principals_with_unconstrained_delegation
list_enabled_users
list_enabled_users_pwd_never_expires_unchanged_1yr
list_enabled_users_with_email
list_en_svc_accts_priv_grp_mems
list_esc1_vulnerable_certificate_templates
list_esc2_vulnerable_certificate_templates
list_esc3_vulnerable_certificate_templates
list_esc4_vulnerable_certificate_templates
list_esc6_vulnerable_certificate_templates
list_esc7_vulnerable_certificate_templates
list_esc8_vulnerable_certificate_templates
list_high_value_targets
list_network_shares_ignoring_sysvol
list_non_managed_service_accounts
list_non_priv_users_with_admin_and_sessions
list_own_en_usrs_local_adm_sess
list_principals_with_azure_tenancy_access
list_privileged_users_without_protected_users
list_privileges_for_certificate_authority_servers
non_privileged_users_with_dangerous_permissions
route_all_owned_enabled_group_memberships
route_all_owned_enabled_non_privileged_group_memberships
route_all_owned_enabled_privileged_group_memberships
route_all_sessions_to_computers
route_all_sessions_to_computers_without_laps
route_azure_users_with_dangerous_rights_to_users
route_from_owned_enabled_principals_to_high_value_targets
route_non_priv_comps_dangerous_rights_to_comps
route_non_priv_comps_dangerous_rights_to_gpos
route_non_priv_comps_dangerous_rights_to_groups
route_non_priv_comps_dangerous_rights_to_priv_nodes
route_non_priv_comps_dangerous_rights_to_users
route_non_privileged_users_with_dangerous_permissions
route_non_privileged_users_with_dangerous_rights_to_gpos
route_non_privileged_users_with_dangerous_rights_to_users
route_non_priv_users_dangerous_rights_to_comps
route_non_priv_users_dangerous_rights_to_priv_nodes
route_non_priv_usrs_dang_rts_grps
route_owned_users_dangerous_rights_to_any
route_owned_users_dangerous_rights_to_groups
route_own_en_usrs_dang_rts_usrs
route_own_en_usrs_unconst_del
route_principals_to_azure_apps_and_sps
route_principals_to_azure_vm
route_principals_to_global_administrators
route_priv_users_sessions_to_non_priv_comps
route_user_principals_to_azure_service_principals
run_query
users_with_most_cross_domain_sessions
users_with_most_local_admin_rights
users_with_most_sessions

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/stevenyu113228/BloodHound-MCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server