Explore the often-overlooked security implications of Microsoft's Active Directory Certificate Services (AD CS) in this 35-minute Black Hat conference talk. Delve into the potential for credential theft, machine persistence, domain escalation, and subtle domain persistence within AD CS. Learn about enterprise certificate authorities, certificate enrollment processes, and certificate templates. Discover techniques for passive and active certificate theft, and understand the advantages and misconfigurations of certificate templates. Examine escalation scenarios, methods for finding vulnerable certificate templates, and the NTLM Relay and Printer Bug vulnerabilities. Gain insights from the speakers' experience reporting to Microsoft and witness a live demonstration of these concepts in action.