• Updated

This article applies to BHCE and BHE


The certificate template "A" is configured to be used as an enrollment agent.  The certificate template "B" is configured to allow enrollment by enrollment agents. Both certificate templates are published by an enterprise CA which is trusted for NT authentication and chain up to a root CA for the domain. This enables a principal with a certificate of certificate template "A" to enroll on behalf of other principals for certificate template "B" as long as enrollment agent restrictions configured on the enterprise CA permit it.



Abuse Info

An attacker may perform an ADCS ESC3 attack that relies on this EnrollOnBehalfOf relationship. This relationship alone is not enough to escalate rights or impersonate other principals.


Opsec Considerations

When an attacker abuses a privilege escalation or impersonation primitive that relies on this relationship, it will necessarily result in the issuance of a certificate. A copy of the issued certificate will be saved on the host that issued the certificate.



This edge is related to the following MITRE ATT&CK tactic and techniques:

  • https://attack.mitre.org/techniques/T1649/

Abuse and Opsec references