ESC6 EDITF ATTRIBUTESUBJECTALTNAME2
Often seen when issuing certificates for web servers. Administrators often wish for additional hostnames to be added to certificates, which can be achieved by allowing SAN request attributes to be provided (requiring the +EDITF_ATTRIBUTESUBJECTALTNAME2 flag set on CA).
This flag applies to the entire CA, and therefore every certificate template which allows less privileged user enrolment can be used to issue certificates with a Domain Admin/Enterprise Admin as an additional UPN
Therefore, can enrol through any template set up to enable domain authentication, with focus on those open to unprivileged user enrolment, e.g. standard user template. This enables attacker to enrol as Domain admin.