HostsCAService

This article applies to BHCE and BHE

 

The Enterprise Certification Authority node is the enrollment service LDAP object for CA hosted on the computer node.

 

 

Abuse Info

An attacker may perform several attacks that rely on this relationship. This relationship alone is not enough to escalate rights or impersonate other principals. The enterprise CA must chain up to a root CA of the AD forest and it must be trusted for NT authentication in the AD forest for an escalation to be possible. If both conditions are met, BloodHound will generate a GoldenCert edge from the computer node to the domain node. Check if there is an outbound GoldenCert edge from the computer node.

 

Opsec Considerations

When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.

 

References

This edge is related to the following MITRE ATT&CK tactic and techniques:

  • https://attack.mitre.org/techniques/T1649/

Abuse and Opsec references

Updated