Enumerate and abuse AD CS with Certipy (ESC1 / ESC7 / ESC9 / shadow).
Command: Linux copy
certipy find -dc-ip $DCIP -u $USER@$DOMAIN -p $PASSWORD -vulnerable -stdout certipy find -k -target $DC -vulnerable -stdout
References: