Active Directory Certificate Services Misconfigured Template Requires Enrollment Agent Signature
Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. Principals can request PKI Certificates based on collections of enrollment policies and predefined certificate settings known as Certificate Templates. A misconfigured ADCS Certificate Template has an EKU allowing Domain Authentication, specifies an Application Policy Issuance Requirement requiring a certificate request be signed by an Enrollment Agent, but is otherwise unprotected. In order to be abused by an attacker, a vulnerable Enrollment Agent template must also be present in the environment. See 'Certified Pre-Owned: Misconfigured Enrollment Agent Templates -ESC3' for additional details.
If attackers have access to an Enrollment Agent Certificate, they can utilize it to sign a certificate request for this vulnerable template 'on behalf of' a Domain Administrator - leading to Domain Privilege Escalation.