# ESC1

If msPSKI-Certificates-Name-Flag has "**ENROLLEE\_SUPPLIES\_SUBJECT**", that means that the enrollee can supply the subject (name of the user they want the certificate for).

Which users can do this?

Check the Enrollement Permissions -> Enrollement Rights.

This is a great **persistence** method because a certificate would still be valid even if the password is changed. We can request a TGT using the certificate.

To find the certificate template that have "ENROLLEE\_SUPPLIES\_SUBJECT", use the below command:

```
Certify.exe find /enrolleeSuppliesSubject
```

## Abusing ESC 1