Active Directory Certificate Services Misconfiguration Privilege Escalation - Subject Alternative Name
Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. Principals can request PKI Certificates based on collections of enrollment policies and predefined certificate settings known as Certificate Templates. A misconfigured ADCS Certificate Template that can be utilized for Client Authentication is present on the Enterprise CA. The vulnerable template grants low-privileged users enrollment rights, allows requesters to specify a subjectAltName (SAN) in the request, and lacks protective Issuance Requirements (e.g. - Requiring a Manager approval or authorized signature).
Attackers can utilize the vulnerable Certificate Template to Request a Certificate for a Domain Administrator - leading to Privilege Escalation.