altSecurityIdentities and servicePrincipalName attributes. The altSecurityIdentities attribute stores explicit certificate mappings for a principal, while servicePrincipalName can be abused for targeted Kerberoasting.
Abuse Info
Write access to the Public-Information property set can be abused in at least two ways:- Write access to
altSecurityIdentitiesmay enable an ADCS ESC14 Scenario A attack. See WriteAltSecurityIdentities for the certificate requirements, exploitation steps, and cleanup guidance. - Write access to
servicePrincipalNamemay enable a targeted Kerberoasting attack against a user with a weak password. See WriteSPN for details.
Opsec Considerations
For ADCS ESC14 Scenario A, the affected certificate authority retains a local copy of the issued certificate in its issued certificates store. Defenders may analyze issued certificates to identify illegitimately issued certificates and the principal that requested them. For targeted Kerberoasting, see the WriteSPN opsec considerations.Edge Schema
Source: User, Group, ComputerDestination: User, Computer
Traversable: Yes