Active Directory Certificate Services: Vulnerable Certificate Authority Access Control
Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. AD Certificate Authorities have a set of permissions that secure various CA actions. The two main rights are 'ManageCA' and 'ManageCertificates'. A principal with ManageCA rights on a CA can use PSPKI remotely flip the EDITF_ATTRIBUTESUBJECTALTNAME2 bit to allow Subject Alternative Name (SAN) specification on any certificate request. A principal with ManageCertificate (aka: Officer) rights can remotely approve pending certificate requests, allowing an attacker to subvert Manager Approval protections.
If an attacker gains access to an otherwise low privilege account with ManageCA or ManageCertificates rights, they can modify CA and Certificate Template settings to gain Domain Privilege Escalation.