This article applies to BHCE and BHE


The certificate template is published to an enterprise CA where the enrollment agent restrictions are configured to allow this principal to enroll certificates against this template as an enrollment agent. BloodHound does not assess what principals the enrollment agent is allowed to enroll on behalf of.



Abuse Info

An attacker may perform an ADCS ESC3 attack that relies on this DelegatedEnrollmentAgent relationship. This relationship alone is not enough to escalate rights or impersonate other principals.


Opsec Considerations

When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.



This edge is related to the following MITRE ATT&CK tactic and techniques:


Abuse and Opsec references