ESC1

If msPSKI-Certificates-Name-Flag has "ENROLLEE_SUPPLIES_SUBJECT", that means that the enrollee can supply the subject (name of the user they want the certificate for).

Which users can do this?

Check the Enrollement Permissions -> Enrollement Rights.

This is a great persistence method because a certificate would still be valid even if the password is changed. We can request a TGT using the certificate.

To find the certificate template that have "ENROLLEE_SUPPLIES_SUBJECT", use the below command:

Certify.exe find /enrolleeSuppliesSubject

Abusing ESC 1