Active Directory Certificate Services Misconfigured Enrollment Agent Template
Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. Principals can request PKI Certificates based on collections of enrollment policies and predefined certificate settings known as Certificate Templates. A misconfigured ADCS Certificate Template with the 'Certificate Request Agent EKU' is not sufficiently protected, and could be could be used by an attacker to sign a certificate request 'on-behalf' of another user for another template that allows for Client Authentication. In order for this vulnerable template to be utilized for domain privilege escalation, a secondary vulnerable template must be available. See 'Certified Pre-Owned: Misconfigured Enrollment Agent Templates -ESC3' for additional details.
Attackers can Request (and receive) an Enrollment Agent Certificate. In concert with a secondary vulnerable template that allows for Client Authentication, attacks could use the Enrollment Agent Certificate to request a Certificate for a Domain Administrator - leading to Domain Privilege Escalation.