Cert Publishers

The Cert Publishers group is a built-in AD group whose members are allowed to publish user certificates to AD objects. However, they do not have write access to certificate templates by default. Granting them such permissions is a misconfiguration that can lead to attacks like ESC4.

Privilege	Description
Write on userCertificate attribute	Cert Publishers can publish user certificates to user objects in AD by writing to the userCertificate attribute. This is their primary and default function.
Read on Certificate Templates	They can read certificate templates, but cannot write to or modify them by default.
Enroll (if assigned by a template)	They may have the right to enroll for certificates if the template explicitly allows it — not automatically granted by Cert Publishers membership.

If a member of this group is compromised, check for potential ESC vulnerabilties:

# Test for vulnerable templates
$ certipy find -u <user>@<domain> -p <pass> -stdout -vuln
...
    [!] Vulnerabilities
      ESC1  : '<domain>\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication
      ESC2  : '<domain>\\Domain Users' can enroll and template can be used for any purpose
      ESC3  : '<domain>\\Domain Users' can enroll and template has Certificate Request Agent EKU set
      ESC4  : User has dangerous permissions.
      ESC16 : Security Extension is disabled.