Skip to main content
Applies to BloodHound Enterprise and CE The Public-Information property set includes the altSecurityIdentities and servicePrincipalName attributes. The altSecurityIdentities attribute stores explicit certificate mappings for a principal, while servicePrincipalName can be abused for targeted Kerberoasting.

Abuse Info

Write access to the Public-Information property set can be abused in at least two ways:
  1. Write access to altSecurityIdentities may enable an ADCS ESC14 Scenario A attack. See WriteAltSecurityIdentities for the certificate requirements, exploitation steps, and cleanup guidance.
  2. Write access to servicePrincipalName may enable a targeted Kerberoasting attack against a user with a weak password. See WriteSPN for details.

Opsec Considerations

For ADCS ESC14 Scenario A, the affected certificate authority retains a local copy of the issued certificate in its issued certificates store. Defenders may analyze issued certificates to identify illegitimately issued certificates and the principal that requested them. For targeted Kerberoasting, see the WriteSPN opsec considerations.

Edge Schema

Source: User, Group, Computer
Destination: User, Computer
Traversable: Yes

References

This edge is related to the following MITRE ATT&CK technique:

Abuse and Opsec references