CanAbuseUPNCertMapping

This article applies to BHCE and BHE

 

This edge is created when BloodHound identifies a domain controller with particular certificate mapping methods configured in the registry. This edge alone is not enough to perform an abuse, but may be part of several other node and edge configurations that create the conditions for abusable ADCS edges.

 

 

Abuse Info

An attacker may perform an ADCS ESC6 or ESC10 attack that relies on this relationship. This relationship alone is not enough to escalate rights or impersonate other principals.

 

Opsec Considerations

When the affected certificate authority issues the certificate to the attacker, it will retain a local copy of that certificate in its issued certificates store. Defenders may analyze those issued certificates to identify illegitimately issued certificates and identify the principal that requested the certificate, as well as the target identity the attacker is attempting to impersonate.

 

References

This edge is related to the following MITRE ATT&CK tactic and techniques:

  • https://attack.mitre.org/techniques/T1649/

Abuse and Opsec references

Updated