Check Certify and ADCS Vulns
windowschecklist
Walkthrough
Enumerate Active Directory Certificate Services for vulnerable templates (ESC1-ESC8). A hit means a misconfigured template you can abuse to obtain certificates for privilege escalation.
Commands
bash
netexec ldap <IP> -u <USER> -p '<PASS>' -M adcs