RootCAFor

Any certificates signed by this CA will be trusted by the domain and all hosts in the domain.

Abuse Info

An attacker may perform several attacks that rely on the existence of a root CA, such as ESC1. This edge alone is not enough to escalate rights or impersonate other principals. This edge may contribute to other edges and attributes, from which an escalation opportunity may emerge.

Opsec Considerations

When the affected certificate authority issues the certificate to the attacker, it will retain a local copy of that certificate in its issued certificates store. Defenders may analyze those issued certificates to identify illegitimately issued certificates and identify the principal that requested the certificate, as well as the target identity the attacker is attempting to impersonate.

References

This edge is related to the following MITRE ATT&CK tactic and techniques:

https://attack.mitre.org/techniques/T1649/

Abuse and Opsec references

https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf
https://www.pkisolutions.com/understanding-active-directory-certificate-services-containers-in-active-directory/
https://www.ravenswoodtechnology.com/components-of-a-pki-part-2

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

Abuse Info

Opsec Considerations

References

Abuse and Opsec references

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

​Abuse Info

​Opsec Considerations

​References

​Abuse and Opsec references

Abuse Info

Opsec Considerations

References

Abuse and Opsec references