Abusing Active Directory Certificate Services – Part 2

This report demonstrates ESC4 — an ADCS certificate template permissions misconfiguration that permits non-admin Domain Users to modify templates and create certificates for other accounts (including Domain Administrators) using Certipy, providing a path to full domain compromise; it provides PoC commands, cleanup instructions, detection event IDs, hardening recommendations, and notes a Microsoft partial patch.