Exploit ESC8 (Active Directory Certificate Services ADCS)
List all PKI Enrollment Servers
nxc ldap <ip> -u user -p pass -M adcsList All Certificates Inside a PKI
nxc ldap <ip> -u user -p pass -M adcs -o SERVER=xxxxLast updated