AD Certificates

See HERE.

Use Certipy for enumeration and identifying vulnerable templates.

certipy find -vulnerable -u <USER>@<DOMAIN> -p <PASSWORD> -dc-ip <DC

PERSIST

Account Persistance.

ESC

Domain Escalation

DPERSIST

Domain Persistance

THEFT

Certificate Theft