Active Directory Certificate Services Misconfigured Template Access Controls
Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. Principals can request PKI Certificates based on collections of enrollment policies and predefined certificate settings known as Certificate Templates. ADCS Certificate Templates are securable objects in the AD. If the Access Control Entries allow unintended, or otherwise unprivileged, AD principals to edit sensitive security settings, the template could be used by an attacker for domain privilege escalation.
An unprivileged user with 'Write' or 'Full Control' ACE privileges could overwrite the template's security features - allowing for Domain Privilege Escalation (via ESC1) if other mitigating factors are not in place.