Theory

In their research papers, Will Schroeder and Lee Christensen identified a set of vectors of domain persistence based on access control misconfigurations (dubbed DPERSIST3).

Active Directory Certificate Services add multiple objects to AD, including securable ones which principals can have permissions over. This includes Certificate templates, Certificate Authorities, CA server, etc.

In the same research papers, domain escalation techniques abusing misconfigurated access controls were identified dubbed ESC4, ESC5 and ESC7).

If an attacker obtains sufficient permissions in a domain, he could modify security descriptors of AD CS components, in order to make them vulnerable to the attacks mentioned in Movement > AD-CS > Access controls.

These modifications can be made with tools like Impacket's (Python) dacledit.py or with Add-DomainObjectAcl (PowerView module), as explained in Grant rights.