Entity Panel | Database | Directory | Description |
Display Name | displayname | displayName | The display name of the object. |
Object ID | objectid | objectGUID | The object’s unique identifier in the directory. |
ACL Inheritance Denied | isaclprotected | nTSecurityDescriptor | Whether inherited permissions (ACEs) from containers are blocked on this object. |
Application Policies Required | applicationpolicies | msPKI-RA-Application-Policies | The required RA application policy EKU in the counter signatures of certificate requests. |
Application Policy Extensions | certificateapplicationpolicy | msPKI-Certificate-Application-Policy | List of EKUs that might go into issued certificates (see Effective EKUs). |
Authentication Enabled | authenticationenabled | - | Whether the certificate can be used for authentication. See this blog post for more details on how it is calculated: https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-1-799f3d3b03cf |
Authorized Signatures Required | authorizedsignatures | msPKI-RA-Signature | Specifies the number of enrollment registration authority signatures that are required in an enrollment request. |
Certificate Name Flags | certificatenameflag | msPKI-Certificate-Name-Flag | Contains the flags related to constructing the Subject and Subject Alternative Name in an issued certificate. |
Created | whencreated | whenCreated | When the object was created in the directory. |
Distinguished Name | distinguishedname | distinguishedName | The name of the object and its location in AD. |
Domain FQDN | domain | - | The fully qualified domain name (FQDN) of the domain the object belongs to. |
Domain SID | domainsid | - | The SID of the domain the object belongs to. |
Effective EKUs | effectiveekus | - | The list EKUs that will be in the Enhanced Key Usage (2.5.29.37) property of issued certificates. It will contain the EKUs of msPKI-Certificate-Application-Policy by default. It will contain the EKUs of pKIExtendedKeyUsage instead if the schema version is 1 and pKIExtendedKeyUsage is not empty. |
Enhanced Key Usage | ekus | pKIExtendedKeyUsage | List of EKUs that might go into issued certificates (see Effective EKUs). |
Enrollee Supplies Subject | enrolleesuppliessubject | msPKI-Certificate-Name-Flag (CT_FLAG_ENROLLEE_SUPPLIES _SUBJECT) | Whether the certificate template requires the enrollee to supply the Subject Alternative Name data. |
Enrollment Flags | enrollmentflag | msPKI-Enrollment-Flag | Contains enrollment-related flags. |
Issuance Policies Required | issuancepolicies | msPKI-RA-Policies | Contains the list of required policy OIDs from those who sign enrollment requests. |
Issuance Policy Extensions | certificatepolicy | msPKI-Certificate-Policy | List of issuance polices that are included in issued certificates. |
Last Collected by BloodHound | lastcollected | - | The most recent time the object was collected and ingested in BloodHound. |
Last Seen by BloodHound | lastseen | - | The most recent time the object or a reference to it was collected and ingested in BloodHound. |
No Security Extension | nosecurityextension | msPKI-Certificate-Name-Flag (CT_FLAG_NO_SECURITY_ EXTENSION) | Whether issued certificates will include a certificate extension (SID of the enrollee), which may be required for authentication. |
OID | oid | msPKI-Cert-Template-OID | Specifies the object identifier of the certificate template. |
Renewal Period | renewalperiod | pKIOverlapPeriod | The period by which issued certificates should be renewed before they expire. |
Requires Manager Approval | requiresmanagerapproval | msPKI-Enrollment-Flag (CT_FLAG_PEND_ALL_REQUESTS) | Whether certificate requests will require manager approval. |
Schema Version | schemaversion | ms-PKI-Template-Schema-Version | The schema version of the certificate template. |
Subject Alternative Name Require DNS | subjectaltrequiredns | msPKI-Certificate-Name-Flag (CT_FLAG_SUBJECT_ALT_ REQUIRE_DNS) | Whether the certificate template requires the DNS name of the subject for the Subject Alternative Name. |
Subject Alternative Name Require Domain DNS | subjectaltrequiredomaindns | msPKI-Certificate-Name-Flag (CT_FLAG_SUBJECT_ALT_ REQUIRE_DOMAIN_DNS) | Whether the certificate template requires the domain DNS name of the subject for the Subject Alternative Name. |
Subject Alternative Name Require Email | subjectaltrequireemail | msPKI-Certificate-Name-Flag (CT_FLAG_SUBJECT_ALT_ REQUIRE_EMAIL) | Whether the certificate template requires the email of the subject for the Subject Alternative Name. |
Subject Alternative Name Require SPN | subjectaltrequirespn | msPKI-Certificate-Name-Flag (CT_FLAG_SUBJECT_ALT_ REQUIRE_SPN) | Whether the certificate template requires the UPN (yes, not the SPN) of the subject for the Subject Alternative Name. |
Subject Alternative Name Require UPN | subjectaltrequireupn | msPKI-Certificate-Name-Flag (CT_FLAG_SUBJECT_ALT_ REQUIRE_UPN) | Whether the certificate template requires the UPN of the subject for the Subject Alternative Name. |
Subject Require Email | subjectrequireemail | msPKI-Certificate-Name-Flag (CT_FLAG_SUBJECT_ REQUIRE_EMAIL) | Whether the certificate template requires the email of the subject. |
Validity Period | validityperiod | pKIExpirationPeriod | The validity period for issued certificates. |
- | name | name + domain name | Name of the object + @ + the name of the domain. |
Edge type | Entity panel category |
AllExtendedRights | Inbound Object Control |
DelegatedEnrollmentAgent | - |
Enroll | Inbound Object Control |
EnrollOnBehalfOf | - |
GenericAll | Inbound Object Control |
GenericWrite | Inbound Object Control |
Owns | Inbound Object Control |
WriteDacl | Inbound Object Control |
WriteOwner | Inbound Object Control |
WritePKIEnrollmentFlag | Inbound Object Control |
WritePKINameFlag | Inbound Object Control |
Edge type | Entity panel category |
EnrollOnBehalfOf | - |
ExtendedByPolicy | - |
PublishedTo | - |