Active Directory Certificate Services - EDITF_ATTRIBUTESUBJECTALTNAME2 flag set
Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. Principals can request PKI Certificates based on collections of enrollment policies and predefined certificate settings known as Certificate Templates. If the EDITF_ATTRIBUTESUBJECTALTNAME2 flag is set on the CA, any certificate request can have a user defined Subject Alternative Name (SAN). If the flag is set, a misconfigured Certificate Template that has an EKU allowing Authentication, grants low-privileged users enrollment rights, and lacks protective Issuance Requirements (e.g. - Requiring a Manager Approval or Authorized Signature) can be exploited for Domain Privilege Escalation.
Attackers can utilize a vulnerable Certificate Template to request a certificate for a Domain Administrator - leading to privilege escalation.