> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# ExtendedByPolicy

> The edge indicates that a certificate template includes an issuance policy as a certificate extension.

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

## Abuse Info

An attacker may perform the ADCS ESC13 abuse which relies on an issuance policy included in a certificate. This relationship alone is not enough to escalate rights or impersonate other principals.

## Opsec Considerations

When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.

## Edge Schema

Source: [CertTemplate](/resources/nodes/cert-template)\
Destination: [IssuancePolicy](/resources/nodes/issuance-policy)\
Traversable: **No**

## References

* [ADCS ESC13 Abuse Technique](https://specterops.io/blog/2024/02/14/adcs-esc13-abuse-technique/)
* [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897\(v=ws.10\)?redirectedfrom=MSDN)
* [Use Authentication Mechanism Assurance (AMA) to secure administrative account login](https://www.gradenegger.eu/en/using-authentication-mechanism-assurance-ama-to-secure-the-login-of-administrative-accounts/)