The ADCSESC13 edge indicates that the principal has the privileges to perform the ADCS ESC13 abuse against the target AD group. The principal has enrollment rights on a certificate template configured with an issuance policy extension.
The issuance policy has an OID group link to an AD group. The principal also has enrollment permission for an enterprise CA with the necessary template published. This enterprise CA is trusted for NT authentication and chains up to a root CA for the forest. This setup allows the principal to enroll a certificate that the principal can use to obtain access to the environment as a member of the group specified in the OID group link.
If the enrollment fails with an error message stating that the Email or DNS name is unavailable and cannot be added to the Subject or Subject Alternate name, then it is because the enrollee principal does not have their ‘mail’ or ‘dNSHostName’ attribute set, which is required by the certificate template. The ‘mail’ attribute can be set on both user and computer objects but the ‘dNSHostName’ attribute can only be set on computer objects. Computers have validated write permission to their own ‘dNSHostName’ attribute by default, but neither users nor computers can write to their own ‘mail’ attribute by default.The certificate PFX is printed to the console in a base64-encoded format.
When the affected certificate authority issues the certificate to the attacker, it will retain a local copy of that certificate in its issued certificates store. Defenders may analyze those issued certificates to identify illegitimately issued certificates and identify the principal that requested the certificate.