The victim principal has a certificate private key that can be abused to sign “golden” certificates for authentication of any enabled principal in the AD forest of the domain.
The victim principal hosts the enrollment service of an enterprise CA, which implies it has the private key of the enterprise CA’s certificate. This private key allows an attacker to sign certificates for authentication as any enabled principal in the AD forest of the domain, as the enterprise CA is trusted for NT authentication and chain up to a root CA.It may not be possible to obtain the certificate private key if it is protected with a Trusted Platform Module (TPM) or using a Hardware Security Module (HSM). However, it may still be possible to compromise the AD forest. Administrative access to the enterprise CA host lets an attacker publish certificate templates, approve denied enrollment requests, and more. The victim principal will have an ESC7 edge to the domain if any such attack has been found possible by BloodHound.
Back up the CA certificate with the credentials of a user with admin access on the enterprise CA host using Certipy. The enterprise CA certificate is the one where issuer and subject are identical.
Copy
Ask AI
certipy ca -backup -ca 'dumpster-DC01-CA' -username jd@dumpster.fire -password 'Password123!
When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.