Active Directory Certificate Services Misconfiguration: NTLM Relay to AD CS HTTP Endpoint
Active Directory Certificate Services (ADCS) is Microsoft's enterprise PKI implementation that integrates with Active Directory. Principals can request PKI Certificates based on collections of enrollment policies and predefined certificate settings known as Certificate Templates. Using NTLM relay, an attacker on a compromised machine can impersonate any inbound-NTLM-authenticating AD account. While impersonating the victim account, an attacker could access the ADCS enrollment web interface and request a client authentication certificate based on the User or Machine certificate templates.
If an attacker is able to conduct a man-in-the-middle attack against the vulnerable ADCS web endpoint, they can request an authentication certificate for a privileged domain user.