The principal has the "Manage CA", also known as "CA Administrator", permission on the EnterpriseCA. This permission allows the principal to configure the CA to allow subject alternate names, publish certificate templates, grant "Manage Certificates" and more.
Abuse Info
This relationship alone is not enough to perform a privilege escalation or impersonation primitive. This relationship may contribute to other relationships and attributes, from which an escalation opportunity may emerge.
Opsec Considerations
When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.
References
This edge is related to the following MITRE ATT&CK tactic and techniques:
- https://attack.mitre.org/techniques/T1649/
Abuse and Opsec references
Updated