Enroll

Abuse Info

The Enroll permission grants enrollment rights on the certificate template. The following additional requirements must be met for a principal to be able to enroll a certificate:

The certificate template is published on an enterprise CA
The principal has Enroll permission on the enterprise CA
The principal meets the issuance requirements and the requirements for subject name and subject alternative name defined by the template

Certify (2.0) can be used to enroll a certificate on Windows:

Certify.exe request --ca SERVER\CA-NAME --template TEMPLATE

Certipy can be used to enroll a certificate on Linux:

certipy req -u USER@CORP.LOCAL -p PWD -ca CA-NAME -target SERVER -template TEMPLATE

Opsec Considerations

When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.

Edge Schema

Source: User, Group, Computer
Destination: CertTemplate, EnterpriseCA Traversable: No

References

This edge is related to the following MITRE ATT&CK tactic and techniques:

https://attack.mitre.org/techniques/T1649/

Abuse and Opsec references

https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

Abuse Info

Opsec Considerations

Edge Schema

References

Abuse and Opsec references

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

​Abuse Info

​Opsec Considerations

​Edge Schema

​References

​Abuse and Opsec references

Abuse Info

Opsec Considerations

Edge Schema

References

Abuse and Opsec references