PSWA
In the earlier stage of the engagement, enumerating the ADCS revealed a notable discovery about the strange web endpoint over TLS. It appears to be configured to mandate access solely with a valid certificate. A closer examination led to generate(request) and import a specifically crafted certificate(PFX) into the browser.
Behind the cryptographic layer, the strange web endpoint was found to host a PowerShell Web Access (PSWA) endpoint. During the time of discovery, the security context was limited to the hope.sharp user, who is not part of the Remote Management Users group.
Now that the sierra.frye user, who is part of the Remote Management Users group, has been compromised, initial foothold can be made via the PSWA endpoint
Initial Foothold established to the target system as the sierra.frye user via PSWA